b'\x0c    IG\xe2\x80\x99s \n\nSemiannual \n\n  Report\n\nto Congress\n\n\n\n September 2008\n\x0c\x0c                                                        CONTENTS\n\nFrom the Inspector General...............................................................................................................................1\n\n\nMajor Challenges for the Department............................................................................................................3\n\n\t           Overcome\tthe\tSetbacks\tExperienced\tin\tReengineering\tDecennial\tProcesses,\tand\t\t\n\t           \t\t\tConduct\ta\tSuccessful\t2010\tCensus.....................................................................................................3\n\n\t           Better\tPosition\tthe\tDepartment\tto\tAddress\tInformation\tSecurity\tRisks.........................................5\n\n\t           Effectively\tManage\tthe\tDevelopment\tand\tAcquisition\tof \tNOAA\xe2\x80\x99s\t\t\n\t           \t\t\tTwo\tEnvironmental\tSatellites............................................................................................................. 6\n\n\t           Establish\ta\tSafety\tCulture\tat\tNIST........................................................................................................ 6\n\n\t           Ensure\tNTIA\tEffectively\tCarries\tOut\tIts\tResponsibilities\tUnder\tthe\t\n\t           \t\t\tDigital\tTelevision\tTransition\tand\tPublic\tSafety\tAct........................................................................ 7\n\t\t\t\t\t\tOther Issues Requiring Significant Management Attention......................................................................8\n\n\n     Work\tin\tProgress..............................................................................................................................................11\n\n\nAgency Overviews\n\t           Economics\tand\tStatistics\tAdministration............................................................................................13\n\n\t           National\tOceanic\tand\tAtmospheric\tAdministration.........................................................................21\n\n            United States Patent and Trademark Office........................................................................................31\n\t\n\t           Department-Wide\tManagement...........................................................................................................35\n\n\nOffice of Inspector General\n            Office of Investigations..........................................................................................................................41\n\t\n            Other OIG Activities..............................................................................................................................43\n\t\n            Tables and Statistics.................................................................................................................................47\n\t\n            Reporting Requirements.........................................................................................................................54\n\t\n\x0cPhoto Courtesy Commerce Photographic Services\n\nCommerce\tHerbert\tC.\tHoover\tBuilding\n\x0c                          FROM THE \n\n                     INSPECTOR GENERAL\n\n\nWe\tare\tpleased\tto\tpresent\tthe\tDepartment\tof \tCom-                     test\tof \tits\taddress\tcanvassing\toperation.\tThis\topera-\nmerce Office of Inspector General\xe2\x80\x99s Semiannual Report                 tion\t is\t essential\t to,\t among\t other\t things,\t successfully\t\nto Congress for\t the\t 6\t months\t ending\t September\t 30,\t              delivering\t census\t questionnaires\t to\t U.S.\t households,\t\n2008.\tMuch\tof \tour\twork\tduring\tthis\treporting\tperiod\t                 and\tis\testimated\tto\tcost\t$500\tmillion.\tThe\ttest\trevealed\t\nfocused\ton\ttwo\tpriority\tareas\tfor\tthe\tDepartment:\tthe\t                serious\t problems,\t and\t we\t recommended\t actions\t for\t\n2010\tdecennial\tcensus\tand\tinformation\tsecurity.\t                      mitigating\tthem\tin\tthe\tshort\ttime\tthat\tremains\tbefore\t\n                                                                      the\t actual\t 2010\t operation\t begins.\t Our\t full\t report\t is\t\n2010 Decennial Census                                                 available\tat\twww.oig.doc.gov and will be summarized\n                                                                      in\tour\tnext\tSemiannual Report to Congress.\nThe Census Bureau experienced significant setbacks\nthis\t past\t year,\t which\t led\t to\t the\t decision\t to\t abandon\t\n                                                                      We\talso\tissued\ta\tcapping\treport\thighlighting\tthe\tprob-\nplans\tfor\tusing\thandheld\tcomputers\tfor\ta\tmajor\t2010\t\n                                                                      lems we\xe2\x80\x99ve identified with 2010 operations in reviews\ndecennial field operation. Secretary Gutierrez asked\n                                                                      conducted\tsince\tthe\tbeginning\tof \tthis\tdecennial\tcycle\t\nthe Office of Inspector General to (1) analyze the\n                                                                      (page 13). These early reports pointed to the potential\ncauses\t of \t problems\t with\t the\t Census\t Bureau\xe2\x80\x99s\t Field\t\n                                                                      for\tthe\tkinds\tof \tproblems\tthe\tbureau\tis\tnow\tconfront-\nData Collection Automation contract, (2) review plans\n                                                                      ing.\t\nand\tbudgets\tto\tdetermine\t2010\tcensus\thigh-risk\tareas,\t\nand (3) examine decennial decision documents and\nexpenditures.\t We\t are\t nearing\t completion\t of \t reviews\t            Information Security\nin all three areas and will promptly report our findings              We\t evaluated\t 10\t information\t technology\t systems\t\nto\tthe\tSecretary\tand\tCongress.\t                                       throughout\t the\t Department\t to\t meet\t the\t annual\t re-\n                                                                      quirements\tof \tthe\tFederal\tInformation\tSecurity\tMan-\nWe\trecently\tissued\ttwo\treports\ton\thigh-risk\tdecennial\t                agement Act (FISMA). Information security has been\noperations. The first was on the bureau\xe2\x80\x99s cost estimates              a\t material\t weakness\t at\t Commerce\t since\t 2001.\t Last\t\nfor fingerprinting temporary census workers\xe2\x80\x94a new                     year,\twe\tworked\twith\tthe\tDepartment\tto\timplement\ta\t\nundertaking\tfor\tthis\tdecennial\tthat\tis\tprojected\tto\tcost\t             2-year plan for improving the certification and accred-\n$148 million (see page 15). This estimate is hundreds                 itation (C&A) process to eliminate the material weak-\nof \t millions\t of \t dollars\t lower\t than\t earlier\t projections\t       ness.\tThe\tFISMA\treviews\twe\tcompleted\tthis\tyear\tin-\nthe bureau had developed, and reflects savings identi-                dicate\tthat\tprogress\tis\tbeing\tmade:\twe\tconcluded\tthat,\t\nfied through our work and a concurrent analysis by                    generally, Commerce\xe2\x80\x99s C&A process had improved. In\nDepartment and Census officials.                                      order\tto\teliminate\tthe\tmaterial\tweakness,\tthe\tDepart-\n                                                                      ment\tneeds\tto\tensure\tthe\tprogress\tcontinues\tuntil\tsys-\nThe\tsecond\treport,\tissued\tshortly\tafter\tthe\tclose\tof \tthe\t            tem C&As consistently meet required standards.\nsemiannual\tperiod,\tis\ton\tthe\tbureau\xe2\x80\x99s\tdress\trehearsal\t\n\n\n\n                                                                  \x18\n\x0cOther Areas of Focus\nAmong\tour\tother\twork\tduring\tthis\treporting\tperiod,\t\nwe\tcompleted\ta\treview\tof \tCommerce\tearmarks\tat\tthe\t\nrequest\t of \t the\t Senate\t Subcommittee\t on\t Federal\t Fi-\nnancial\tManagement,\tGovernment\tInformation,\tand\t\nInternational\tSecurity.\tWe\tassessed\tNOAA\xe2\x80\x99s\tNational\t\nData\t Buoy\t Center\t operations\t and\t NOAA\xe2\x80\x99s\t partner-\nship\t arrangements\t with\t state\t agencies\t for\t enforcing\t\nfisheries regulations. And our ongoing international\ntelemarketing\t fraud\t investigation\t resulted\t in\t another\t\nfour convictions and more than $94 million in fines\nand restitution. We also identified the top manage-\nment challenges for the Department for fiscal year\n2009. We briefly summarize those challenges here and\nwill\tissue\ta\tfull\treport.\n\nWe\t look\t forward\t to\t working\t with\t the\t Department\t\nto\taddress\tthese\tchallenges.\tAnd\twe\tthank\tSecretary\t\nGutierrez, senior officials throughout the Depart-\nment,\tand\tmembers\tof \tCongress\tfor\ttheir\tsupport\tof \t\nour\t work\t during\t this\t reporting\t period\t and\t for\t their\t\nresponsiveness\tto\tour\trecommendations\tfor\timprov-\ning\tCommerce\toperations.\t\n\n\n\n\n                                                           \x18\n\x0c                 MAJOR CHALLENGES \n\n                FOR THE DEPARTMENT\n\nThe\tReports\tConsolidation\tAct\tof \t2000\trequires\tin-\nspectors\tgeneral\tto\tidentify\tthe\ttop\tmanagement\tchal-\n                                                                        Top Management Challenges\nlenges\t facing\t their\t departments.\t For\t FY\t 2009\t Com-\nmerce OIG has identified five top challenges that                  \xe2\x80\xa2 Overcome\tthe\tSetbacks\tExperienced\tin\t\nrequire immediate and significant action from the                    Reengineering\tDecennial\tProcesses,\tand\t\nDepartment,\tand\tfour\tlonger\tterm\tissues\tthat\trequire\t                Conduct\ta\tSuccessful\t2010\tCensus\nits\t sustained\t attention.\t These\t challenges\t provide\t the\t\nfocus\tfor\tmuch\tof \tour\twork,\tas\twe\tassess\tthe\tDepart-              \xe2\x80\xa2 Better\tPosition\tthe\tDepartment\tto\t\t\nment\xe2\x80\x99s\tprogress\tin\taddressing\tthem.                                  Address\tInformation\tSecurity\tRisks\n\n                                                                   \xe2\x80\xa2 Effectively\tManage\tthe\tDevelopment\tand\t\nChallenge 1\n                                                                     Acquisition\tof \tNOAA\xe2\x80\x99s\tTwo\tEnviron-\nOvercome the Setbacks Experienced in                                 mental\tSatellites\nReengineering Decennial Processes, and\nConduct a Successful 2010 Census                                   \xe2\x80\xa2 Establish\ta\tSafety\tCulture\tat\tNIST\n\n                                                                   \xe2\x80\xa2 Ensure\tNTIA\tEffectively\tCarries\tOut\tIts\t\nThe\t ability\t of \t the\t U.S.\t Census\t Bureau\t to\t success-           Responsibilities\tUnder\tthe\tDigital\tTelevi-\nfully\tconduct\tits\tconstitutionally\tmandated\tdecennial\t               sion\tTransition\tand\tPublic\tSafety\tAct\ncount\tof \tU.S.\tresidents\tin\t2010\tis\tat\tserious\trisk.\tAf-\nter\tspending\t8\tyears\tdeveloping\ta\tcompletely\tnew\tap-\nproach to census-taking\xe2\x80\x94one that was to automate\n                                                         The\tDepartment\tand\tthe\tCensus\tBureau\thave\ttaken\t\nmajor field operations\xe2\x80\x94the bureau scrapped plans\n                                                         significant actions during the past year to address\nfor\tusing\thandheld\tcomputer\ttechnology\tfor\tthe\tlarg-\n                                                         problems,\t including\t extensive\t changes\t to\t decennial\t\nest\tand\tmost\texpensive\tof \tthese\toperations,\tknown\tas\t\n                                                         management,\timprovements\tin\tprogram\tmanagement\t\nnonresponse follow-up, because of significant perfor-\n                                                         practices,\tand\tcloser\toversight\tof \tthe\tdecennial\teffort\t\nmance problems and loss of confidence in the Field\n                                                         by\tthe\tDepartment.\tHowever,\tdespite\tthese\tchanges,\t\nData Collection Automation (FDCA) contractor. It\n                                                         significant risks remain for the 2010 decennial. Wheth-\nwill\tnow\tconduct\tthis\toperation\tusing\tpaper\tand\tpen-\n                                                         er\tthe\tbureau\tcan\tin\tfact\tretool\tin\ttime\tto\tconduct\ta\t\ncil,\tas\tit\thas\tdone\tin\tprevious\tcensuses.\t\n                                                         reliable\tcensus,\teven\tat\tthis\tincreased\tprice\ttag,\trepre-\n                                                         sents in our view the most significant challenge facing\nThe\tinability\tof \tthe\tbureau\tand\tits\tcontractor\tto\twork\t\n                                                         the\tDepartment.\ntogether\tto\tproduce\ta\thandheld\tcomputer\tand\trelat-\ned systems for field data collection as originally en-\n                                                         Census 2010 was to be the first high-tech count in\nvisioned, combined with major flaws in the bureau\xe2\x80\x99s\n                                                         the\t nation\xe2\x80\x99s\t history,\t with\t decennial\t employees\t us-\ncost-estimating\tmethods\tand\tother\tissues,\thave\tadded\t\n                                                         ing\t handheld\t computers\t to\t verify\t addresses\t through\t\nan\testimated\t$2.2\tbillion\tto\t$3\tbillion\tto\tthe\toriginal\t\n                                                         global-positioning\tsoftware,\tcollect\tdata\tfrom\thouse-\n$11.5\tbillion\tlife-cycle\tcost\testimate.\t\n\n\n                                                               \x18\n\x0cMajor Challenges for the Department                                                                       September \x18008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n         holds\t that\t did\t not\t mail\t back\t census\t questionnaires\t                           operation\xe2\x80\x94which concluded in June 2007\xe2\x80\x94revealed\n         (i.e., nonresponse follow-up), and manage a variety                                  serious\tproblems,\tand\tplans\tfor\ttesting\tand\tenhanc-\n         of \t information\t and\t tasks.\t The\t handheld\t computers\t                             ing\tthe\thandhelds\tsince\tdress\trehearsal\thave\tbeen\tse-\n         were\tthe\tcenterpiece\tof \tthe\tstrategy\tand\tother\tdecen-                               verely\tcompressed.\tAddress\tcanvassing\twill\tundergo\t\n         nial\toperations\twere\tbuilt\taround\tor\timpacted\tby\tthe\t                                its final operational test over an 8-day period, rather\n         decision\tto\tuse\tthem.\tThe\tswitch\tto\tpaper\tprocesses\t                                 than\tthe\t3\tmonths\toriginally\tallotted\tin\tthe\tplan\tfor\t\n         will require additional field staff and support person-                              the\tretooled\tcensus.\tWe\tquestion\twhether\tCensus\twill\t\n         nel\xe2\x80\x94which means more time to hire and train, and                                     have\tthe\ttime\tto\tresolve\tissues\tarising\tfrom\tthe\t8-day\t\n         more\t dollars\t to\t do\t so.\t And\t it\t means\t Census\t must\t                            test,\tscheduled\tfor\tDecember,\tbefore\tthe\tstart\tof \tthe\t\n         modify\tits\tother\tplans\tand\toperations\tto\taccount\tfor\t                                2010\t operation.\t Training\t of \t address\t canvassers\t for\t\n         the\tchange.\t                                                                         the\tlive\toperation\tcommences\tin\tFebruary\t2009,\tleav-\n                                                                                              ing the bureau only a short period of time to fix any\n         For\t example,\t address\t canvassing\t will\t remain\t auto-                              problems identified in this final test.\n         mated, but will undergo its final operational test over\n         an\t8-day\tperiod,\trather\tthan\tthe\t3\tmonths\toriginally\t                                Help desk operations\xe2\x80\x94key to ensuring the handhelds\n         allotted.\t This\t operation\t is\t essential\t to,\t among\t other\t                        function properly during address canvassing\xe2\x80\x94are\n         things,\tsuccessfully\tdelivering\tquestionnaires\tand\tgiv-                              just\tnow\tin\tthe\tprocess\tof \tbeing\tredesigned.\tCensus\t\n         ing\ttemporary\tstaff \taccurate\taddresses\tand\tmaps\tfor\t                                is\talso\ttaking\tover\tthe\tregional\tcensus\tcenter\tcommu-\n         nonresponse\tfollow-up.\tDress\trehearsal\ttesting\tof \tthe\t                              nications infrastructure\xe2\x80\x94which under the contractor\n                                                                                              has\texperienced\tnumerous\tproblems\tthat\tmust\tbe\tre-\n                                                                                              solved\tto\tensure\ta\tsuccessful\t2010\tcount.\t\n\n                                                                                              Overcoming\tautomation-related\tissues\tis\tbut\tone\tas-\n                                                                                              pect\tof \tthe\tchallenge\tfacing\tCensus.\tThe\tbureau\tmust\t\n                                                                                              also\taddress\tthe\treadiness\tof \tnumerous\tother\topera-\n                                                                                              tions\tthat\thave\tsuffered\tfrom\tinattention\tthroughout\t\n                                                                                              the\t decade\t because\t of \t the\t greater\t than\t anticipated\t\n                                                                                              focus\ton\tautomation\tproblems.\tCensus\thad\tto\tcancel\t\n                                                                                              tests\tof \tprocedures\tfor\tenumerating\tsome\ttradition-\n                                                                                              ally difficult groups and settings, such as the homeless\n                                                                                              and\t military\t bases,\t while\t completed\t tests\t of \t others,\t\n                                                                                              such\t as\t American\t Indian\t reservations,\t have\t shown\t\n                                                                                              little\t effect\t on\t mitigating\t long-standing\t obstacles\t to\t\n                                                                                              producing\taccurate\tcounts.\tCensus\tcites\tthe\tFY\t2008\t\n                                                                                              continuing\t resolution\t as\t the\t reason\t for\t cancellation\t\n                                                                                              of \tmany\tof \tits\tplanned\ttests.\n\n                                                                                              In addition, the bureau must have a fingerprinting\n                                                                                              program\tin\tplace\tprior\tto\thiring\tthe\testimated\t1.3\tmil-\n                                                                                              lion temporary workers needed for field operations.\n                                                                                              Because the decision to fingerprint was made only\n                                                                                              recently, Census faces significant risks in implement-\n                                                                       US Census Bureau       ing this $148 million operation.\n        Address canvassers used the handheld computers to update maps and ad-\n        dresses in census testing, but the systems had significant problems. The time         The overarching reason for the significant problems\n        remaining for resolving the problems is extremely compressed.                         Census\t has\t encountered\t to\t date\t is\t the\t failure\t of \t\n                                                                                              Census\t Bureau\t management\t in\t place\t at\t the\t time\t to\t\n                                                                                              anticipate\t the\t complex\t IT\t requirements\t involved\t in\t\n                                                                                              automating\tthe\tcensus.\tContributing\tfactors\tthe\tDe-\n\n\n                                                                                          \x18\n\x0cSeptember \x18008\xe2\x80\x94Semiannual Report to Congress                                                      Major Challenges for the Department\n\n\n\n       partment\tand\tCensus\tmust\taddress\tinclude\tthe\tinsular\t        To\tbe\teffective\tin\tthis\tenvironment,\tthe\tDepartment\xe2\x80\x99s\t\n       nature\t of \t the\t bureau\t and\t lack\t of \t management\t with\t  IT security program must be proactive and fluid,\n       proven\t expertise\t in\t running\t complex\t programs\t and\t      staffed\tby\tIT\tsecurity\tprofessionals\twho\thave\tthe\tap-\n       system\tacquisitions\tor\tapplying\tcontemporary\tprivate\t        propriate\tskills\tand\texperience\tto\timplement\trequired\t\n       sector\tmanagement\tmethods.\t                                  security\tcontrols,\tassess\ttheir\teffectiveness,\tand\tantici-\n                                                                    pate\tand\trespond\tto\temerging\tthreats.\tThey\talso\tneed\t\n       With the first major decennial operation (address can- appropriate\tsecurity\tclearances\tto\teffectively\tdeal\twith\t\n       vassing) beginning in early 2009, the new Secretary potential\tcyber\tattacks.\tWe\thave\tfound\tIT\tsecurity\tstaff \t\n       will\thave\tlittle\ttime\tleft\tfor\tplanning\tfor\tthe\t2010\tde- lacks\tadequate\tunderstanding\tof \tthe\tDepartment\xe2\x80\x99s\tIT\t\n       cennial,\talthough\the\tor\tshe\twill\thave\tresponsibility\tfor\t security\tpolicy,\tNIST\tstandards\tand\tguidance,\tand\tse-\n       its\toverall\timplementation.\tHowever,\tthe\tnew\tSecre- curity\ttechnology,\tand\ttherefore\tcannot\tappropriately\t\n       tary\twill\thave\tthe\topportunity\tto\tinitiate\tplanning\tfor\t apply\tthem.\tThe\tDepartment\tcites\tlack\tof \tresources\t\n       the\t 2020\t census,\t using\t the\t lessons\t learned\t from\t the\t as\ta\tmajor\timpediment\tto\timproving\tIT\tsecurity.\t\n       2010\tcensus.\t\n                                                                    We\thave\tbeen\tworking\twith\tthe\tDepartment\tto\telimi-\n                                                                    nate\t the\t material\t weakness\t by\t the\t end\t of \t 2009\t un-\n       Challenge 2                                                  der\ta\tjointly\tdeveloped\tplan\tthat\tincorporates\trealistic\t\n                                                                    milestones\tand\tmeasurable\tsteps\tfor\tbuilding\tconsis-\n       Better Position the Department to Ad-                        tent and repeatable C&A practices. A key element of\n       dress Information Security Risks                             the\tstrategy\tis\tcontinuous\tmonitoring,\twhich\trequires\t\n                                                                    agencies\t to\t regularly\t assess\t and\t adjust\t their\t security\t\n       As\tin\tmany\tfederal\tagencies,\tputting\tproper\tinforma- controls\tto\tmaintain\tor\timprove\tprotective\tmeasures.\t\n       tion\tsecurity\tcontrols\tin\tplace\thas\tbeen\tan\tintractable\t Our\t FISMA\t reviews\t this\t year\t noted\t improvements,\t\n       problem\tat\tthe\tDepartment\tof \tCommerce\tand\ta\tlong- but\tstill\tfewer\tthan\thalf \tthe\tsystems\twe\tevaluated\tmet\t\n       standing\titem\ton\tOIG\xe2\x80\x99s\twatch\tlist.\tDespite\tadditional\t FISMA\t standards.\t However,\t several\t showed\t subse-\n       expenditures\tto\tmitigate\tthe\tproblem,\tthe\tDepartment\t quent\timprovements\tbecause\tof \trigorous\tcontinuous\t\n       has\treported\tinformation\tsecurity\tas\ta\tmaterial\tweak- monitoring\tactivities.\t\n       ness\tevery\tyear\tsince\tFY\t2001.\n                                                                    The\t Department\t has\t made\t progress\t toward\t imple-\n       The\t reason\t for\t the\t material\t weakness\t is\t ineffective\t menting\tthe\tCyber\tSecurity\tAssessment\tand\tManage-\n       certification and accreditation (C&A): the Federal In- ment tool\xe2\x80\x94a software application developed by the\n       formation Security Management Act (FISMA) and Department of Justice that allows users to take a 360-\n       OMB\tpolicy\trequire\tagencies\tto\tcertify\tthat\ttheir\tsys- degree approach to C&A. They can input system in-\n       tems\tand\tdata\tare\tprotected\twith\tadequate,\tfunction- formation as they begin the C&A process, and, among\n       ing security controls before authorizing (accrediting) other\tthings,\tgenerate\tand\timplement\ta\tsecurity\tplan\t\n       a\t system\t to\t operate.\t But\t year\t after\t year\t our\t FISMA\t that complies with FISMA requirements, analyze se-\n       reviews have found ineffective C&A processes that curity\t requirements,\t and\t track\t resolution\t of \t vulner-\n       do\tnot\tadequately\tidentify\tand\tassess\tneeded\tcontrols\t abilities\t and\t the\t results\t of \t security\t control\t monitor-\n       and\tultimately\tfail\tto\tassure\tthat\tsystems\tand\tdata\tare\t ing. The systems we reviewed this year were certified\n       protected.\t                                                  and accredited without the benefit of the tool. But\n                                                                    once\t fully\t integrated,\t the\t tool\t should\t bring\t greater\t\n       Securing\tsystems\tfrom\tcyber\tthreats\tis\tclearly\tthe\tmost\t consistency to the C&A process across all Commerce\t\n       difficult piece of the challenge, because these threats bureaus.\t\n       represent\t a\t moving\t target:\t they\t increase\t in\t number\t\n       and\t sophistication\t almost\t daily.\t And\t as\t agencies\t in-\n       corporate\twireless\tand\tother\ttechnologies\tto\tsupport\t\n       their operations and workplace flexibilities, they invite\n       new\trisks\tthat\tmust\tbe\tanticipated\tand\tmitigated.\t\n\n\n\n                                                                     \x18\n\x0cMajor Challenges for the Department                                                 September \x18008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n        Challenge 3                                                     research\tthrough\t2028.\tAn\tinadequate\tacquisition\tand\t\n                                                                        management\t process\t contributed\t to\t underestimated\t\n        Effectively Manage the Development and\n                                                                        costs\t for\t GOES-R\t and\t planned\t satellite\t capabilities\t\n        Acquisition of NOAA\xe2\x80\x99s Two Environ-\n                                                                        that\t were\t too\t ambitious.\t As\t a\t result,\t the\t projected\t\n        mental Satellites                                               cost\t of \t GOES-R\t has\t increased\t from\t $6.2\t billion\t to\t\n                                                                        $7.7\tbillion,\ta\tmajor\tsensor\thas\tbeen\tremoved,\tand\tthe\t\n        NOAA is modernizing its environmental monitoring                number\t of \t satellites\t to\t be\t purchased\t has\t decreased\t\n        capabilities,\t spending\t billions\t of \t dollars\t on\t two\t sat-  from\tfour\tto\ttwo.\t\n        ellite\t systems\t that\t provide\t critical\t data:\t the\t National\t\n        Polar-orbiting\t Operational\t Environmental\t Satellite\t Reining\t in\t additional\t costs\t and\t delays\t in\t both\t pro-\n        System (NPOESS) and Geostationary Operational grams requires very specific action and vigilant over-\n        Environmental Satellite-R Series (GOES-R).                      sight.\t For\t NPOESS,\t the\t three\t agencies\t developing\t\n                                                                        the system\xe2\x80\x94NOAA, NASA, and the Department of\n        Space\t acquisitions\t like\t NPOESS\t and\t GOES-R\t are\t Defense\xe2\x80\x94must (1) control and resolve the continuing\n        highly\t technical\t and\t complex\t and\t have\t a\t history\t of \t problems with VIIRS, and (2) improve triagency deci-\n        cost\toverruns,\tschedule\tdelays,\tand\tperformance\tfail- sion\tmaking.\tBecause\tNPOESS\tis\tthe\tonly\tsource\tof \t\n        ures.\tThe\tcosts\tand\tschedules\tof \tboth\tof \tthese\tsys- critical\tweather\tand\tenvironmental\tdata,\tit\tis\tespecially\t\n        tems have significantly increased since the projects important that VIIRS problems be resolved and con-\n        commenced.\tThey\ttherefore\trequire\tcareful\toversight\t gressional confidence in and support of the program\n        to minimize any further disruption and to prevent any be\tmaintained.\n        gaps in satellite coverage\xe2\x80\x94a situation that could have\n        serious\t consequences\t for\t the\t safety\t and\t security\t of \t For GOES-R, NOAA needs to (1) work closely with\n        the\tnation.\t                                                    the\tDepartment\tto\tensure\tthey\tfollow\tbest\tpractices\tin\t\n                                                                        overseeing\tthe\tacquisition\twhile\tawaiting\tdevelopment\t\n                                  The\t $12.5\t billion\t NPOESS\t of \tformal\tCommerce\toversight\tpolices\tand\tprocedures\t\n                                  project\t will\t provide\t continu- to guide such projects, and (2) work with Congress to\n                                  ous\tweather\tand\tenvironmental\t update\tthe\tbaseline\tlife-cycle\tcost\testimate\tused\tin\tits\t\n                                  data\t for\t longer\t term\t weather\t annual\treporting\ton\tthe\tsatellite\tsystem.\n                                  forecasting\t and\t climate\t moni-\n                                  toring\t through\t the\t coming\t 2\t\n                                  decades.1\tThe\tinitial\tplan\tcalled\t Challenge 4\n        for\tthe\tpurchase\tof \tsix\tsatellites\tat\ta\tcost\tof \t$6.5\tbil-\n        lion, with a first launch in 2008. But problems with a Establish a Safety Culture at NIST\n        key sensor\xe2\x80\x94the Visible/Infrared Imager Radiometer\n        Suite (VIIRS)\xe2\x80\x94were a major contributor to the cur- A June 2008 plutonium spill at the National Institute\n        rent\t$12.5\tbillion\testimate,\twhile\tthe\tnumber\tof \tsatel- of \t Standards\t and\t Technology\xe2\x80\x99s\t Boulder,\t Colorado,\t\n        lites was reduced to four and the first launch pushed laboratory\traised\tserious\tconcerns\tabout\tNIST\xe2\x80\x99s\tabil-\n        back\tto\t2013.\tRecent\tanalysis\tindicates\tthat\tthe\t$12.5\t ity\tto\tperform\tstate-of-the-art\tresearch\twith\tradioac-\n        billion\testimate\tcould\tsubstantially\tincrease\tin\tthe\tnear\t tive\t and\t other\t dangerous\t materials\t while\t protecting\t\n        future.\t                                                        the\tsafety\tof \tworkers\tand\tthe\tcommunity\tat\tlarge.\n\n        The\t$7.7\tbillion\tGOES-R\t                                        The\tplutonium\tspill\twas\tone\tof \tseveral\tincidents\tre-\n        system\twill\toffer\tan\tunin-                                      ported\t at\t NIST\t labs\t in\t the\t past\t few\t years\t that\t have\t\n        terrupted flow of high-                                         revealed management flaws and a lax safety culture at\n        quality\t data\t for\t short-                                      the\tagency.\tBut\tit\twas\tby\tfar\tthe\tmost\tserious\tin\tterms\t\n        range\t weather\t forecasting\t                                    of \tthe\tpotential\tfor\twidespread\tharm.\n        and\t warning,\t and\t climate\t\n                                                                        The\tplutonium\tspill\tprompted\ta\tseries\tof \treviews\tby\t\n                                                                        independent\t health\t and\t safety\t experts,\t the\t Depart-\n        \x04\n         The cost of the NPOESS program is shared equally by NOAA\n        and the Department of Defense.\n\n\n\n                                                                    \x18\n\x0cSeptember \x18008\xe2\x80\x94Semiannual Report to Congress                                                                     Major Challenges for the Department\n\n\n\n       ment of Energy, and NIST\xe2\x80\x99s Ionizing Radiation Safety Challenge 5\n       Committee, all of which shared a common finding\xe2\x80\x94a\n                                                                 Ensure NTIA Effectively Carries Out Its\n       commitment\t to\t safety\t at\t NIST\t Boulder\t is\t seriously\t\n                                                                 Responsibilities Under the Digital Tele-\n       lacking.\n                                                                                     vision Transition and Public Safety Act\n       Two studies conducted by NIST have identified a\n       backlog\t of \t more\t than\t $500\t million\t in\t facility\t main-                  The\t Digital\t Television\t Transition\t and\t Public\t Safety\t\n       tenance and repair requirements. A 2004 study found                           Act\t of \t 2005\t assigned\t the\t National\t Telecommunica-\n       $458 million in deficiencies at NIST\xe2\x80\x99s Gaithersburg                           tions\t and\t Information\t Administration\t responsibility\t\n       campus and a 2008 study identified $48 million in de-                         for\timplementing\ta\t$2.5\tbillion\tinitiative\tfor\tthe\tcon-\n       ficiencies at Boulder. Many of the items relate directly                      version\tto\tdigital\ttelevision\tand\timprovements\tto\tpub-\n       to\t safety.\t NIST\t noted\t that\t it\t should\t be\t investing\t at\t                lic safety communications. The act authorizes NTIA\n       least\t$50\tmillion\tto\t$70\tmillion\tannually\tto\tbring\tits\tfa-                    to\t use\t $1.5\t billion\t to\t support\t the\t nation\xe2\x80\x99s\t February\t\n       cilities\tto\ta\t\xe2\x80\x9cfair\xe2\x80\x9d\tcondition\tand\tstay\tahead\tof \tfurther\t                    2009\tswitch\tto\tall-digital\tbroadcasting\tby\toffering\tcou-\n       deterioration.\t According\t to\t the\t Department,\t NIST\t                        pons\t toward\t the\t purchase\t price\t of \t converter\t boxes\t\n       received\t$32\tmillion\tfor\tfacilities\tin\tFY\t2008.\t                              that\twill\tenable\tanalog\ttelevision\tsets\tto\treceive\tdigital\t\n                                                                                     broadcasts.\t\n                                                                                     A\tprimary\tpurpose\tof \tthe\tswitch\tis\tto\tfree\tup\tradio\t\n                                                                                     frequencies\tfor\tadvanced\twireless\temergency\tcommu-\n                                                                                     nications\tat\tstate\tand\tlocal\tlevels.\tNTIA\twill\tuse\tap-\n                                                                                     proximately\t$1\tbillion\tto\tfund\tgrants\tfor\tpublic\tsafety\t\n                                                                                     interoperable communications (PSIC) projects in all\n                                                                                     50\tstates,\tthe\tDistrict\tof \tColumbia,\tand\tthe\tU.S.\tter-\n                                                                                     ritories\xe2\x80\x94a total of 56 entities.\n\n                                                                                     The authorizing legislation requires NTIA to coor-\n                                                                                     dinate\t with\t the\t Department\t of \t Homeland\t Security\t\n                                                                                     in\t administering\t the\t PSIC\t program\t and\t set\t a\t statu-\n                                                                                     tory\tdeadline\tof \tSeptember\t30,\t2010,\tto\texpend\tgrant\t\n                                                                                     funds.\tSubsequent\tlegislation\tset\ta\tstatutory\tdeadline\t\n                                                                                     of \tSeptember\t30,\t2007,\tfor\tthe\taward\tof \tgrants.\n                                                                         NIST\n\n                                                                                     Converter Box Coupon Program Is\n       According to a 2008 study, the NIST Boulder campus, pictured above, had\n                                                                                     Progressing\n       $48 million in facility deficiencies, many of them related to safety.\n                                                                 NTIA\thas\tmade\tsubstantial\tprogress\tin\tpreparing\ttele-\n                                                                 vision\t viewers\t for\t the\t switch\t to\t digital\t broadcasting\t\n       It\tis\tclear\tfrom\tthe\tcircumstances\tsurrounding\tthe\tplu- by dispensing up to two $40 coupons per household\n       tonium\tincident\tand\tsubsequent\trevelations\tthat,\tat\ta\t to\t offset\t the\t purchase\t price\t of \t the\t converter\t boxes,\t\n       minimum,\tNIST\tmust\tmake\tsafety\ta\tprimary\tconcern\t which enable analog TVs to receive digital signals.\n       at all organizational levels and strictly comply with all NTIA\tcontracted\twith\tIBM\tto\tprovide\tcertain\tservic-\n       federal\trequirements\tand\tindustry\tstandards.\tIt\tmust\t es\tto\timplement\tthe\tcoupon\tprogram,\tand\thad\tissued\t\n       establish\t and\t enforce\t stringent\t policies\t and\t proce- more\t than\t 26\t million\t coupons\t as\t of \t September\t 30,\t\n       dures for handling hazardous materials and strict lines 2008,\tand\tredeemed\t10\tmillion\tof \tthem.\n       of \taccountability\tfor\timplementing\tthem.\n                                                                 Maintaining\t strict\t accountability\t for\t funds\t in\t a\t pro-\n                                                                 gram of this type and size requires careful oversight\n                                                                 and\t strong\t internal\t controls\t to,\t among\t other\t things,\t\n                                                                 guard\tagainst\twaste,\tfraud,\tand\tabuse\tamong\tretailers,\t\n                                                                 and\tto\tadapt\tto\tevolving\tprogram\trequirements.\t\n\n\n                                                                                 \x18\n\x0cMajor Challenges for the Department                                                                   September \x18008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n                                                                                          largest\tgrants.\tOnly\tone\tstated\tthat\tit\tplans\tto\tacquire\t\n                                                                                          most\tof \tits\tinteroperable\tcommunications\tequipment\t\n                                                                                          within\tthe\tnext\t6\tmonths.\tEight\ttold\tus\tthey\tare\tin\tthe\t\n                                                                                          early\tstages\tof \tplanning\ttheir\tacquisitions.\tThe\tother\t\n                                                                                          13\twill\tstart\tacquiring\tmost\tof \ttheir\tinteroperable\tcom-\n                                                                                          munications\tequipment\tin\tlate\tFY\t2009\tor\tpossibly\tat\t\n                                                                                          the\tbeginning\tof \tFY\t2010.\tGiven\tall\tthat\tmust\tfollow\t\n                                                                                          the purchase of equipment\xe2\x80\x94installation, operational\n                                                                                          testing, and training at a minimum\xe2\x80\x94grantees who are\n                                                                                          still\tin\tthe\tacquisition\tstage\tas\tlate\tas\tFY\t2010\tface\tthe\t\n                                                                                          very\treal\tpossibility\tof \tarriving\tat\tthe\tprogram\xe2\x80\x99s\tSep-\n                                                                                          tember\t30\tdeadline\twith\tpartially\tcompleted\tprojects\t\n                                                                                          but without funding to finish them out.\n\n                                                                                          NTIA\tshould\texpeditiously\tidentify\tgrantees\twho\tare\t\n                                                                                          at\thigh\trisk\tof \tnot\tmeeting\tthe\tstatutory\tdeadline\tfor\t\n                                                                                          completing\ttheir\tprojects,\tgive\tthem\tthe\ttechnical\tas-\n                                                                                          sistance\tthey\tneed\tto\taccelerate\tthe\tprocess,\tcarefully\t\n                                                                               OIG        monitor\ttheir\tprogress,\tand\tkeep\tCongress\tinformed\t\n        This communications tower was erected by an Arkansas PSIC grantee as              of \tthe\tPSIC\tprogram\xe2\x80\x99s\tstatus\ttoward\tachieving\tits\tob-\n        part of its interoperable communications project. Obtaining FCC licenses to\n                                                                                          jectives.\tIf \tany\tentities\tseem\tstill\tunlikely\tto\tmeet\tthe\t\n        build these towers and meeting various state and local requirements can add\n        months or years to a project\xe2\x80\x99s time frame.                                        deadline,\tNTIA\tshould\twork\twith\tCongress\tto\textend\t\n                                                                                          it.\n        Although\t administering\t the\t coupon\t program\t is\t\n        NTIA\xe2\x80\x99s primary role, the act authorizes the agency to\n        use\t up\t to\t $5\t million\t for\t outreach\t and\t education\t to\t                      Other Issues Requiring Significant\n        ensure\t that\t consumers\t know\t about\t both\t the\t digital\t                         Management Attention\n        TV transition and the coupons. Although the Federal\n        Communications\t Commission\t has\t primary\t respon-                                 Several\t other\t Commerce\t operations\t and\t activities\t\n        sibility\tfor\tconsumer\teducation\tand\toutreach,\tNTIA\t                               present\t longer\t standing\t challenges,\t and\t their\t resolu-\n        should\tcontinue\tto\twork\twith\tstakeholders,\tincluding\t                             tion\tis\tessential\tto\tthe\tDepartment\xe2\x80\x99s\tsound\tmanage-\n        representatives of groups at risk of finding themselves                           ment and mission success. The first\xe2\x80\x94acquisition\n        without\ttelevision\treception\ton\tFebruary\t17,\t2009,\tto\t                            management\xe2\x80\x94has ramifications Department-wide.\n        ensure\ta\tsmooth\ttransition\tto\tdigital\ttelevision.\t                                The remaining three\xe2\x80\x94though agency-specific\xe2\x80\x94have\n                                                                                          a\t direct\t bearing\t on\t Commerce\xe2\x80\x99s\t missions\t relating\t to\t\n        PSIC Grantees May Not Be Able to Finish                                           U.S.\t economic\t strength\t and\t competitiveness,\t or\t na-\n        Projects Within the Mandated Time Frame                                           tional\tsecurity.\n        The\tPSIC\tprogram\tis\ta\tone-time\tgrant\topportunity\tto\t\n        target specific funds and resources toward improving                              Weaknesses in the Department\xe2\x80\x99s\n        the\tinteroperability\tof \tlocal\tand\tstate\tvoice\tand\tdata\t                          Acquisition Oversight and Acquisition\n        communications.\tBut\tgrantees\tare\tmoving\tslowly,\tand\t                              Workforce\n        whether\tthey\tcan\tcomplete\ttheir\tprojects\tby\tthe\tstatu-                            Acquisition\t and\t contract\t management\t has\t been\t a\t\n        tory\tdeadline\tof \tSeptember\t30,\t2010,\tis\tquestionable.                            persistent\t watch\t list\t item\t for\t inspectors\t general\t and\t\n                                                                                          GAO,\tas\trelated\tgovernment\tspending\thas\tballooned\t\n        As\tof \tSeptember\t2008,\tgrantees\thad\tspent\tless\tthan\t                              in\t recent\t years.\t Spending\t on\t contracts\t government-\n        1.5\t percent\t of \t the\t available\t $1\t billion,\t which\t leaves\t                   wide,\t for\t example,\t has\t more\t than\t doubled\t since\t\n        them\tonly\t2\tyears\tto\tcomplete\ttheir\tprojects\tor\tlose\t                             2000\xe2\x80\x94from $208 billion to $430 billion in FY 2007.\n        funding.\tIn\tSeptember\tand\tOctober\t2008\twe\tcontact-                                Meanwhile,\tthe\tfederal\tacquisition\tworkforce\thas\tre-\n        ed\t 22\t grantees,\t including\t 19\t of \t the\t 20\t receiving\t the\t                   mained\t fairly\t constant,\t and\t the\t projects\t it\t supports\t\n\n\n                                                                                      8\n\x0cSeptember \x18008\xe2\x80\x94Semiannual Report to Congress                                                                 Major Challenges for the Department\n\n\n\n       have\tgreatly\tincreased\tin\tcomplexity\tand\trisk.\t                         USPTO\xe2\x80\x99s Long and Growing Patent Pro-\n       Over\tthe\tnext\t2\tyears,\tthe\tDepartment\tof \tCommerce\t                     cessing Times, and Its Financing Vulner-\n       will\tspend\tan\taverage\tof \tapproximately\t$3\tbillion\tan-                  abilities\n       nually\t on\t goods\t and\t services.\t The\t 2010\t decennial\t\n       census\t and\t two\t critical\t NOAA\t satellite\t systems\t will\t\n                                                              The efficiency with which the U.S. Patent and Trade-\n       account\tfor\troughly\ta\tthird\tof \tthese\tannual\texpendi-\n                                                              mark Office processes patent applications has a direct\n       tures.\t All\t three\t of \t these\t programs\t have\t already\t suf-\n                                                              bearing\ton\thow\twell\tit\tachieves\tits\tmission\tof \tpromot-\n       fered significant cost overruns and schedule delays\n                                                              ing\tU.S.\tcompetitiveness.\tMeeting\tthe\tdemand\tfor\tnew\t\n       because\tof \tweaknesses\tin\tacquisition\tmanagement.\t\n                                                              patents\tin\ta\ttimely\tmanner\thas\tbeen\ta\tlong-standing\t\n                                                              challenge\t for\t USPTO.\t Increases\t in\t both\t the\t volume\t\n       The\tDepartment\tdoes\tnot\thave\tcoherent\tpolicies\tto\t\n                                                              and\tcomplexity\tof \tpatent\tapplications\thave\tlengthened\t\n       guide\tsystems\tacquisition\tor\teffective\toversight\tmech-\n                                                              application\tprocessing\ttimes\tand\tbacklogs\tdramatical-\n       anisms,\tand\tthese\tfailings\twere\tmajor\tcontributors\tto\t\n                                                              ly. In 2004, USPTO had a patent backlog of nearly a\n       the problems we identified with NOAA\xe2\x80\x99s GOES-R\n                                                              half-million\t applications\t and\t processing\t times\t of \t 27\t\n       satellite program and the Census Bureau\xe2\x80\x99s field data\n                                                              months.\tBy\t2007,\tprocessing\ttimes\taveraged\tnearly\t32\t\n       collection\tautomation\tcontract.\tCommerce\talso\tlacks\t\n                                                              months,\twith\twait\ttimes\tfor\t communications-related\t\n       a sufficient amount of skilled contracting and project\n                                                              patents as long as 43 months.\n       management\texpertise.\t\n                                                                               As\tof \tSeptember\t30,\t2008,\tUSPTO\treported\ta\tback-\n       The\t Department\t is\t working\t to\t address\t these\t prob-\n                                                                               log\t of \t 750,596\t applications\t and\t estimated\t that\t the\t\n       lems,\t but\t the\t process\t is\t slow\t and\t in\t its\t early\t stages.\t\n                                                                               backlog\t will\t exceed\t 860,000\t by\t September\t 2011.\t\t\n       Commerce\tis\tstrengthening\tacquisition\tand\tcontract-\n                                                                               USPTO\tneeds\tto\treverse\tthe\tupward\ttrend\tand\tcon-\n       ing\tby\tupdating\tits\tantiquated\tpolicies\tand\tprocedures\t\n                                                                               tinue\t to\t implement\t measures\t discussed\t in\t its\t 2007-\n       to\tpromote\tmore\teffective\tplanning,\timplementation,\t\n                                                                               2012 strategic plan that have a significant impact on\n       and\t oversight.\t It\t is\t also\t taking\t steps\t to\t make\t better\t\n                                                                               reducing\tthe\tbacklog,\tsuch\tas\tshortening\tapplication\t\n       use of its oversight bodies\xe2\x80\x94the Acquisition Review\n                                                                               review\ttimes,\timproving\texaminer\terror\trates,\tand\thir-\n       Board\t and\t the\t Commerce\t Information\t Technology\t\n                                                                               ing,\ttraining,\tand\tretaining\tskilled\texaminers.\t\n       Review Board\xe2\x80\x94and to ensure acquisition plans are\n       appropriate,\tand\tprograms\tand\tcontracts\tare\treviewed\t\n                                                                               USPTO\xe2\x80\x99s unique financing structure also presents\n       at\tkey\tdecision\tpoints\tin\ttheir\tlife\tcycle.\t\n                                                                               challenges.\t There\t is\t a\t complex\t relationship\t between\t\n                                                                               the number of patent applications filed, the size of\n       But\tsuccess\tin\tthese\tefforts\twill\tnot\tbe\tenough\tto\tim-\n                                                                               the\tapplication\tbacklog,\tthe\tnumber\tof \tpatents\tissued,\t\n       prove\tthe\tDepartment\xe2\x80\x99s\toverall\tacquisition\toperations\t\n                                                                               and\tthe\tfees\tUSPTO\tcollects\tin\tconnection\twith\tthe\t\n       without\t commensurate\t success\t in\t hiring\t and\t retain-\n                                                                               patent\tprocess.\tThe\tagency\tuses\tfees\tcollected\ttoday\tto\t\n       ing a qualified acquisition workforce. The Depart-\n                                                                               pay for patent applications filed and examined in prior\n       ment\tneeds\ta\tcomprehensive\thuman\t capital\t strategy\t\n                                                                               years.\tWith\tthe\tbacklog\tgrowing,\tprocessing\ttimes\tin-\n       that (1) taps into government-wide recruiting initia-\n                                                                               creasing, and the number of patents issued flattening,\n       tives, (2) explicitly defines what acquisition skills and\n                                                                               this method of financing could become increasingly\n       competencies\tit\tneeds\tand\thow\tthey\twill\tevolve\tover\t\n                                                                               risky\t because\t of \t the\t potential\t shortfall\t in\t future\t fee\t\n       the short and long term, and (3) offers professional\n                                                                               collections. The current model for financing USPTO\xe2\x80\x99s\n       development\tand\tother\tincentives\tto\tattract\tand\tkeep\t\n                                                                               critical\tmission\twarrants\tattention\tto\tensure\tthat\tit\twill\t\n       qualified candidates.\n                                                                               continue to provide sufficient funding to process all\n                                                                               backlogged applications as well as any newly filed.\n\n\n\n\n                                                                           \x18\n\x0cMajor Challenges for the Department                                                 September \x18008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n        NOAA\xe2\x80\x99s Ability to Conserve the Nation\xe2\x80\x99s                         Management\tAct,\twhich\trequires\tannual\tcatch\tlimits,\t\n        Fragile Oceans and Living Marine Re-                            an end to overfishing by 2011, and better integration\n        sources While Ensuring a Vital U.S. Com-                        of fishery management planning with national envi-\n        mercial Fishing Industry                                        ronmental\t review\tprocedures\tto\tensure\tthe\tenviron-\n                                                                        mental impacts of any significant ocean activity under\n                                                                        consideration\t are\t thoroughly\t vetted.\t The\t success\t of \t\n        According\tto\tNOAA,\t3.5\tmillion\tsquare\tmiles\tof \tour\t            these\tnew\trequirements\tin\timproving\tthe\tstatus\tof \tour\t\n        coastal\t and\t deep\t ocean\t waters\t and\t the\t Great\t Lakes\t      marine\tresources\tdepends\ton\thow\teffectively\tNOAA\t\n        support over 28 million jobs\xe2\x80\x94one of every six\xe2\x80\x94in                can\tenforce\tthem\twithout\tundermining\tthe\thealth\tof \t\n        the\t United\t States,\t and\t the\t value\t of \t the\t U.S.\t ocean\t   the U.S. fishing industry. To fulfill its mandates for liv-\n        economy\ttops\t$115\tbillion.\tBut\tthese\teconomic\tben-              ing\t marine\t resources,\t NOAA\t also\t needs\t to\t take\t ac-\n        efits come at great cost as the health of our ocean and         tion\tto\trebuild\tpopulations\tof \tprotected\tspecies,\tcon-\n        coastal\tecosystems\tcontinues\tto\tdecline\tin\tthe\tface\tof \t        serve\t important\t habitats,\t and\t undertake\t the\t science\t\n        increasing coastal development, pollution, overfish-            programs\tnecessary\tto\timprove\tits\tunderstanding\tof \t\n        ing,\tand\tthe\tdestructive\timpact\tof \tinvasive\tspecies.\t          complex\tmarine\tecosystems.\n        Charged\twith\tmaintaining\tand\timproving\tthe\tviability\t\n                                                                        BIS\xe2\x80\x99 Setbacks in Modernizing Its Obso-\n        of \t marine\t and\t coastal\t ecosystems\t while\t supporting\t\n                                                                        lete Information Technology Infrastruc-\n        global\tmarine\tcommerce\tand\ttransportation,\tNOAA\t\n        manages a significant portion of the federal govern-            ture to Strengthen the Dual-Use Export\n        ment\xe2\x80\x99s\tinvestment\tin\tliving\tmarine\tresources.\tIt\tfaces\t         Control System\n        difficult challenges in promoting the health of these           \t\n        resources\t while\t ensuring\t they\t sustain\t the\t vital\t eco-     In January 2007, GAO added the Bureau of Indus-\n        nomic benefits we derive from them.                             try\tand\tSecurity\xe2\x80\x99s\tdual-use\texport\tcontrol\tsystem\tto\tits\t\n                                                                        government-wide\thigh-risk\tlist.\tOne\tof \tthe\tkey\tchal-\n        In January 2007, the President signed the reautho-              lenges\tfacing\tBIS\tin\tensuring\tthat\tthe\tdual-use\texport\t\n        rized Magnuson-Stevens Fishery Conservation and                 control\t system\t is\t properly\t equipped\t to\t advance\t U.S.\t\n                                                                        national\tsecurity,\tforeign\tpolicy,\tand\teconomic\tinter-\n                                                                        ests\t is\t the\t replacement\t of \t its\t obsolete\t Export\t Con-\n                                                                        trol Automated Support System (ECASS). BIS\xe2\x80\x99 core\n                                                                        export\tadministration\tand\tenforcement\tbusiness\tpro-\n                                                                        cesses\tare\tdirectly\tsupported\tby\tECASS.\tApproximate-\n                                                                        ly 450 federal staff and 28,000 exporters currently use\n                                                                        the system. However, the database structure\xe2\x80\x94origi-\n                                                                        nally deployed in 1984\xe2\x80\x94is complex and no longer\n                                                                        supported\t by\t the\t technology\t industry.\t The\t effort\t to\t\n                                                                        modernize ECASS began in 1996, but the project has\n                                                                        been\tbeset\tby\ttechnical\tproblems,\tschedule\tslips,\tand\t\n                                                                        funding\tshortages\tthat\tcurrent\tmanagement\thas\tbeen\t\n                                                                        attempting\t to\t address\t in\t a\t budget-constrained\t envi-\n                                                                        ronment.\t\n\n                                                                        The\tcurrent\tprojected\tcompletion\tdate\tfor\tthe\tECASS\t\n                                                                        modernization is FY 2014. Based on our interviews,\n                                                                        the\t total\t funding\t requirements\t for\t ECASS\t modern-\n                                                                        ization are not clearly established. BIS must provide a\n                                                                        comprehensive\tplan\tfor\twhat\tis\trequired\tto\tmodern-\n                                                                        ize ECASS, including how much it will cost and how\n                                                                        it\twill\tavoid\tthe\tmanagement\tand\ttechnical\tproblems\t\n\n\n\n                                                                   \x180\n\x0cSeptember \x18008\xe2\x80\x94Semiannual Report to Congress\t                                                         Major Challenges for the Department\n\n\n\n       experienced in past modernization attempts.                                defining requirements and developing and\n                                                                                  testing\tsystems.\n       Enhancing\tthe\tperformance\tof \tECASS\tand\tensuring\t\n       continued\toperation\tof \tan\teffective\tlicensing\tinforma-                \xe2\x80\xa2 High-Risk Decennial Activities. Review\t cost,\t\n       tion\tsystem\tare\tfar\ttoo\timportant\tto\tpostpone\tany\tlon-                   schedule, and performance/quality issues,\n       ger. BIS must demonstrate that it has a modernization                    with\t the\t goal\t of \t providing\t timely\t analysis\t\n       strategy\t and\t plan\t in\t place\t to\t convincingly\t make\t the\t             and\trecommendations\tfor\tdecision\tmakers.\n       case\tfor\tincreased\tfunding,\tor\tdevelop\ta\tplan\tto\timple-                \xe2\x80\xa2\t Decision Documents and Expenditures. Identify\t\n       ment its ECASS modernization effort with existing                         the\t decision\t documentation\t and\t other\t in-\n       resources (i.e., reallocate existing funding).                            formation\t used\t to\t support\t allocations\t and\t\n                                                                                 spending\tfor\tthe\t2010\tcensus\tand\tdetermine\t\n                                                                                 whether\tthey\tare\tconsistent\twith\tplanned\tac-\n                                                                                 tivities\tand\tbudget\trequests.\n       Work in Progress\n                                                                           2008 Dress Rehearsal Test of Address Canvass-\n       During this reporting period, the Office of Inspec-\n                                                                           ing Operation\n       tor\t General\t initiated\t the\t following\t audits\t and\t evalu-\n       ations:                                                             Determine\t the\t extent\t to\t\n                                                                           which\taddress\tcanvassing\t\n       BIS                                                                 improved\t the\t accuracy\t\n                                                                           of \t the\t master\t address\t\n       IT Infrastructure System\n                                                                           file\xe2\x80\x94the comprehensive,\n       Determine\twhether\tcontinuous\tmonitoring\tof \tinfor-                  nationwide\tlisting\tof \tad-\n       mation security controls is (1) keeping the authoriz-               dresses\t the\t bureau\t will\t\n       ing official sufficiently informed about the operational            use\t to\t contact\t house-\n       status and effectiveness of security controls; and (2)              holds\teither\tvia\tmail\tor\tin\t\n       resulting in prompt mitigation of any identified se-                person\t to\t collect\t census\t\n       curity control deficiencies. Also assess whether BIS                data.\n       has resolved deficiencies we identified in our FY 2006\n       Federal\tInformation\tSecurity\tManagement\tAct\tevalu-                  NIST\n       ation.\t\n                                                                           Policies and Procedures for Handling Radioac-\n                                                                           tive Materials\n       Issues Related to the Bureau of Industry and\n       Security\xe2\x80\x99s Budget and Responsibilities for Inter-          Evaluate\tNIST\xe2\x80\x99s\ttraining,\tsafety,\tand\tresponse\tpolicies\t\n       national Treaty Implementation and Compliance              and\tprocedures\trelative\tto\tradioactive\tmaterials\tas\twell\t\n                                                                  as\tcontrols\tover\tits\tinventory\tof \tand\taccess\tto\tthese\t\n       Review\t budget\t management\t practices\t in\t the\t Bureau\t\n                                                                  materials.\t Also\t assess\t whether\t the\t agency\xe2\x80\x99s\t manage-\n       of \tIndustry\tand\tSecurity\trelated\tto\tinternational\ttreaty\t\n                                                                  ment\t structure\t facilitates\t incident\t preparedness\t and\t\n       implementation\tand\tcompliance\tactivities.\t\n                                                                  response,\tand\tthe\textent\tto\twhich\tsecurity\tand\temer-\n                                                                  gency\tprotocols\tprotect\tthe\thealth\tand\tsafety\tof \tNIST\t\n       Census\n                                                                  employees\tat\tresearch\tlabs\tand\tthe\tsurrounding\tcom-\n       2010 Decennial Census Reviews in Response to               munities.\n       Commerce Secretary\xe2\x80\x99s Request\n                                                                  NOAA\n            \xe2\x80\xa2\t Field Data Collection Automation Contract.\t\n               Determine (1) why cost estimates have in-          National Marine Fisheries Service\xe2\x80\x99s Northeast\n               creased\twhile\tthe\tscope\tof \tthe\tcontract\thas\t      Fisheries Science Center\n               been reduced; (2) why funds were not avail-        Evaluate\tNMFS\xe2\x80\x99\timplementation\tof \tNational\tStandard\t\n               able\tfor\tthe\tcontract\tto\tproceed\tas\tplanned;\t      2\tof \tthe\tMagnuson-Stevens\tFishery\tConservation\tand\t\n               and (3) what went wrong with processes for         Management\t Act,\t which\t requires\t that\t conservation\t\n\n\n                                                                      \x18\x18\n\x0cMajor Challenges for the Department                                                September \x18008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n        and management measures in fishery management\n        plans be based on the best scientific information avail-       Converter Box Coupon Program\n        able.\tIn\tparticular,\twe\tare\tassessing\tthe\textent\tto\twhich\t\n        the\t\t\xe2\x80\x9cbest\tavailable\tscience\xe2\x80\x9d\thas\tbeen\tused\tin\tdevelop-        Assess\t the\t adequacy\t of \t NTIA\xe2\x80\x99s\t controls\t to\t prevent\t\n        ing fishery management plans and NMFS\xe2\x80\x99 procedures              waste,\tfraud,\tand\tabuse\tin\tthe\tprogram,\tand\tthe\teffec-\n        for\tresponding\tto\tdata\trequests\tfrom\tthe\tpublic.               tiveness\tof \tits\tprogram\tand\tcontract\toversight.\t\n\n        Fisheries Finance Loan Program                                 USPTO\n        Audit\t the\t operation\t and\t effectiveness\t of \t the\t direct\t Quality Assurance Process\n        loan\tportion\tof \tthis\tNOAA\tprogram,\twhich\taccounts\t\n                                                                          Determine (1) the effectiveness of USPTO\xe2\x80\x99s patent\n        for $412 million of the total amount of loans ap-\n                                                                          quality\tassurance\tprocess\tin\tensuring\tthat\testablished\t\n        proved\tsince\tthe\tprogram\xe2\x80\x99s\tinception\tin\tFY\t1997.\n                                                                          standards\tof \tpatent\texamination\tquality\tare\tmet,\tand\t\n                                                                          (2) whether the process complies with applicable De-\n        Facility Replacement Alternatives for NOAA\xe2\x80\x99s                      partment,\tbureau,\tand\tfederal\tlaws,\tregulations,\tpoli-\n        Southwest Fisheries Science Center                                cies,\tprocedures,\tand\tguidelines.\n        Evaluate NOAA\xe2\x80\x99s cost-benefit analysis for selecting\n        from\tamong\tthe\tthree\toptions\tit\tis\tconsidering\tfor\tre- FY 2008 Financial Statements and Information\n        placing\tone\tof \tthe\tcenter\xe2\x80\x99s\tbuildings.\t                          Technology Controls\n                                                                          Determine whether the financial statements are fairly\n        Policies for Disseminating Research Data                          stated\tin\taccordance\twith\tgenerally\taccepted\taccount-\n        Assess\t Department\t and\t NOAA\t policies\t regarding\t ing\t principles.\t These\taudits\t are\t performed\t by\t an\t in-\n        public\t release\t of \t research\t data\t in\t general,\t as\t well\t as\t dependent public accounting firm, under OIG over-\n        the\tevents\tsurrounding\ta\tNOAA\tweb\tsite\tarticle\tand\t sight.\n        follow-up\t fact\t sheet\t on\t Atlantic\t hurricanes\t and\t cli-\n        mate.                                                             Department-wide\n                                                                       FY 2008 Consolidated Financial Statements,\n        NTIA                                                           Information Technology Controls, and Special\n        Management of Public Safety Interoperable                      Purpose Statements\n        Communications (PSIC) Grant Program                      Determine whether the financial statements are fairly\n        Assess\tmanagement\tof \tthe\tPublic\tSafety\tInteropera- stated\tin\taccordance\twith\tgenerally\taccepted\taccount-\n        ble\tCommunications\tgrant\tprogram\tby\tNTIA\tand\tthe\t ing\t principles.\t These\taudits\t are\t performed\t by\t an\t in-\n        Federal\tEmergency\tManagement\tAgency\tand\treport\t dependent public accounting firm, under OIG over-\n        to\t Congress\t as\t required\t by\t amendments\t to\t Section\t sight.\n        3006\tof \tthe\tDigital\tTelevision\tTransition\tand\tPublic\t\n        Safety Act of 2005 (Title III of the Deficit Reduction Grants Oversight\n        Act of 2005, Pub. L. No. 109-171).                       Assess\toversight\tactivities\tdesigned\tto\tdetect\tand\tpre-\n                                                                 vent\tfraud\tin\tthe\tvarious\tgrant\tprograms\tadministered\t\n        Audits of Arkansas, Louisiana, Nevada, and               by EDA, NIST (NIST and NTIA grants), and NOAA\n        Pennsylvania Public Safety Interoperable Com-            (NOAA, ITA, MBDA, and Office of the Secretary\n        munications Grants                                       grants); and consider the Office of Acquisition Man-\n        Determine\tthe\tprogress\tthese\tstates\thave\tmade\tin\tac- agement\xe2\x80\x99s\t role\t in\t the\t grants\t process,\t which\t includes\t\n        quiring\tand\tdeploying\tinteroperable\tcommunications\t developing,\tcoordinating,\tand\toverseeing\tCommerce\xe2\x80\x99s\t\n        with\tPSIC\tgrant\tfunds\tand\twhether\ttheir\tuse\tof \tthese\t financial assistance policy, and implementing gov-\n        funds\tis\tmeeting\tall\tfederal\trequirements.               ernment-wide\tgrants\tpolicy\tdirectives\tat\tthe\tDepart-\n                                                                 ment.\n\n\n\n\n                                                                  \x18\x18\n\x0c      ECONOMICS AND STATISTICS \n\n          ADMINISTRATION\n\n\nT       he Economics and Statistics Administration analyzes economic developments, formulates policy\n        options, and produces a major share of U.S. government economic and demographic statistics. The\n        chief economist monitors and analyzes economic developments and directs studies that have a bearing\non the formulation of economic policy. ESA has two principal agencies:\n\nThe U.S. Census Bureau is the country\xe2\x80\x99s preeminent statistical collection and dissemination agency. It publishes\na wide variety of statistical data about the nation\xe2\x80\x99s people and economy, conducting approximately 200 annual\nsurveys, in addition to the decennial census of the U.S. population and the quinquennial census of industry.\n\nThe Bureau of Economic Analysis prepares, develops, and interprets the national income and product accounts\n(summarized by the gross domestic product), as well as aggregate measures of international, regional, and state\neconomic activity.\n\n\n\n\n2010 Decennial Census: OIG Re-                                  enumerating hard-to-count populations. We summa\xc2\xad\n                                                                rized our major findings as follows. Census\xe2\x80\x99s response\nviews Through the Decade Iden-                                  to our findings and recommendations are presented\ntify Significant Problems in Key                                in the individual reports, which are available at www.\n                                                                oig.doc.gov.\nOperations\n                                                                Field Data Collection Automation\n                                                                (FDCA) Contract (OSE-17368, OIG-\nThe Census Bureau\xe2\x80\x99s announcement last April that it\n                                                                17524)\nwould not use handheld computers to count Ameri\xc2\xad\ncans who do not return 2010 census questionnaires\nand the $2.2 billion to $3 billion increase in the esti\xc2\xad        The Census Bureau\xe2\x80\x99s decision in 2001 to automate\nmated life-cycle cost made it clear that the 2010 census        certain major operations for the 2010 decennial posed\nwas at risk. The Office of Inspector General issued a           significant risks while offering considerable potential\nbriefing report on the work we had conducted on the             efficiencies, savings, and improvements in the count.\ndecennial census to that point: the six reports we is\xc2\xad          The handheld computers Census proposed using\nsued between 2000 and April 2008 highlighted a series           were the centerpiece of its reengineered field opera\xc2\xad\nof continuing problems in the areas of contracting,             tions. But problems with their development have led\nmaps and address lists, systems development, and                to an enormous growth in the estimate to complete\n                                                                the FDCA contract and have impacted the entire 2010\n\n\n                                                           13\n\x0cEconomics and Statistics Administration                                                                     September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n         operational plan. In 2005, we reported numerous is\xc2\xad                                   al continued to find errors in the lists that resulted in\n         sues with the acquisition process for the handheld de\xc2\xad                                duplicate addresses or missed housing units.\n         vices. Census had originally intended to develop them\n         in-house and tested prototypes in both 2004 and 2006.                                 Inadequate maps and address lists were an issue during\n         The devices and related systems had serious problems                                  the 2006 test of update/enumerate\xe2\x80\x94the paper-based\n         in both tests, including crashes, slow response times,                                operation Census uses to survey American Indians liv\xc2\xad\n         and lost data. These experiences should have better                                   ing on reservations\xe2\x80\x94and these tools were a key factor\n         informed the bureau\xe2\x80\x99s efforts to define requirements                                  in the operation\xe2\x80\x99s failure to improve the population\n         for the contractor. Since letting the contract, Census                                count. We found that enumerators often could not lo\xc2\xad\n         has changed and added numerous requirements be\xc2\xad                                       cate households because maps lacked current commu\xc2\xad\n         fore finally abandoning plans to use these devices for                                nity landmarks and other details that help one navigate\n         nonresponse follow-up.                                                                large rural communities devoid of traditional postal\n                                                                                               addresses. The bureau had expected the handheld de\xc2\xad\n         Maps and Addresses (OIG-17524,                                                        vices to facilitate its ability to improve map details and\n         OSE-18027, OSE-15725)                                                                 address lists during address canvassing. But the tech\xc2\xad\n                                                                                               nical problems with the systems we noted in both the\n         Developing an accurate master address file (MAF) and                                  2004 and 2006 tests prevented field staff from mak\xc2\xad\n         maps has been a long-standing problem for the bu\xc2\xad                                     ing the extensive corrections needed. To compensate\n         reau. Our reviews have found numerous instances in                                    for the map deficiencies, we recommended that the\n         which enumerators are sent into the field with incor\xc2\xad                                 bureau equip enumerators with handheld computers\n         rect maps and address information.                                                    containing GPS for navigation and the GPS coordi\xc2\xad\n                                                                                               nates collected during address canvassing.\n         Map and Address Reliability\n         In Census 2000, the master address list contained mil\xc2\xad                                System and Software Development\n         lions of duplicates. Our 2008 review of the address                                   Shortly after the 2000 census, the Census Bureau initi\xc2\xad\n         canvassing operation conducted during dress rehears-                                  ated an in-house upgrade of the technology support\xc2\xad\n                                                                                               ing MAF/TIGER1 to improve map and address ac\xc2\xad\n                                                                                               curacy for 2010. We evaluated the upgrade project in\n                                                                                               its early stages, and found that the bureau did not have\n                                                                                               an effective management process in place at the proj\xc2\xad\n                                                                                               ect\xe2\x80\x99s inception: system requirements, a work plan, and\n                                                                                               project schedule were not developed in tandem, and\n                                                                                               this complex redesign got a late start. We also found\n                                                                                               that the bureau\xe2\x80\x99s software development process did\n                                                                                               not follow key industry standards and best practices\n                                                                                               for minimizing risk.\n\n                                                                                               Quality Control\n                                                                                               Without sound quality control procedures, Census\n                                                                                               lacks assurance that field operations are working as in\xc2\xad\n                                                                                               tended and the data collected is reliable. Our reviews of\n                                                                                               census operations tested in 2006 recommended some\n                                                                                               enhancements to the quality check for group quarters\n                                                                                    OIG        address lists to improve their accuracy, and to qual\xc2\xad\n         Four people attempted to sort out this area using maps that lacked land\xc2\xad\n                                                                                               ity procedures in update/enumerate to better identify\n         marks and some roads. They introduced numerous errors to the housing                  missed housing units. In the 2008 dress rehearsal, the\n         information.                                                                          bureau greatly streamlined quality control procedures\n                                                                                               1\n                                                                                                    TIGER stands for Topologically Integrated Geographic En\xc2\xad\n                                                                                                   coding and Referencing.\n\n\n\n                                                                                          14\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                                                      Economics and Statistics Administration\n\n\n\n       for address canvassing, but technology problems pre\xc2\xad                             reau made little progress in improving its ability to\n       vented Census from collecting reliable data to assess                            count this population: criteria were ambiguous and\n       and improve the procedures before 2010.                                          were developed after training materials had been pre\xc2\xad\n                                                                                        pared. The materials therefore did not offer adequate\n       Hard-to-Count Populations (OSE-                                                  instruction on how to differentiate and properly cat\xc2\xad\n       18027, IPE-18046, OIG-16949)                                                     egorize certain types of group homes.\n\n       The Census Bureau develops separate operations that                              Census addressed some of these problems in the 2006\n       target people who are especially difficult to count,                             test. It developed and verified a list of group quarters\n       such as the homeless, or those who live in remote ar\xc2\xad                            and either helped residents complete the form, left\n       eas or in certain types of group situations (e.g., pris\xc2\xad                         census questionnaires to be picked up at a later time,\n       ons, college dormitories). We evaluated the 2004 and                             or used administrative records to fill in the needed in\xc2\xad\n       2006 tests of several of the operations.                                         formation. Even so, the response rate among certain\n                                                                                        groups was low. (OIG-19217)\n       Update/Enumerate\n       This operation is used to survey reservations and oth\xc2\xad\n       er sparsely populated, remote locations, and update                              Plans, Costs for Fingerprinting\n       maps and addresses. Our review of the update/enu\xc2\xad\n       merate operation tested in 2006 evaluated the impact\n                                                                                        Temporary Staff Remain\n       of a change to better capture reservation household                              Uncertain\n       size and found it to be ineffective, ultimately adding\n       only one person to the total number of residents in                              Census must conduct background checks to assess the\n       these households.                                                                suitability of all temporary decennial employees. For\n                                                                                        the 2010 decennial, Census plans for the first time to\n                                                                                        submit applicants\xe2\x80\x99 fingerprints along with background\n                                                                                        check requests to meet the requirements of the Na\xc2\xad\n                                                                                        tional Crime Prevention and Privacy Compact Act of\n                                                                                        1998. The Compact generally requires that biometric\n                                                                                        information accompany requests for criminal history\n                                                                                        records that are being accessed for purposes unrelated\n                                                                                        to criminal justice matters, such as determining em\xc2\xad\n                                                                                        ployment suitability. The bureau expects to hire 1.3\n                                                                                        million temporary workers to conduct the 2010 cen\xc2\xad\n                                                                                        sus. The FBI estimates that about 1 percent of these\n                                                                                        workers\xe2\x80\x94or 13,000\xe2\x80\x94will have criminal backgrounds\n                                                                                        that will not be correctly detected by a name check\n                                                                                        alone.\n\n                                                                                OIG\n       Small residential group quarters often blend into single family neighborhoods    Fingerprinting will help mitigate the risk of hiring\n       and are incorrectly enumerated. This convent in the Austin, TX, test site        temporary employees with unsuitable backgrounds,\n       was not counted as a group quarters.                                             but it is a major new operation for the decennial cen\xc2\xad\n                                                                                        sus that could cost hundreds of millions of dollars.\n       Group Quarters                                                                   Census has developed several cost estimates for the\n       People who live in group situations (college dormi\xc2\xad                              operation that reflect different assumptions and op\xc2\xad\n       tories, nursing homes, prisons, and group homes) are                             erational plans. We examined its April 1, 2008, esti\xc2\xad\n       hard to count accurately, partly because developing                              mate of $494 million to identify possible cost reduc\xc2\xad\n       precise criteria for identifying who to include in this                          tions and recommended a number of cost-cutting\n       group is difficult. Our review of the group quarters                             measures, which we summarize here and which the\n       enumeration approach tested in 2004 found the bu-\n\n\n                                                                                       15\n\x0cEconomics and Statistics Administration                                        September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n         bureau incorporated in a subsequent estimate released      Department and Census decide to\n         on May 1.                                                  make other changes\n         A more pressing concern, however, is that opera\xc2\xad           Concurrent with our review, the Department also\n         tional plans and funding for satisfying legal require\xc2\xad     worked with Census to identify possible savings. Like\n         ments under the Compact remain unresolved. We              OIG, the Department suggested that Census reuse\n         first urged Census and the Department to resolve the       some fingerprinting kits, specifically, those purchased\n         fingerprinting issue promptly in February 2008 and         to fingerprint recruits hired for operations that pre\xc2\xad\n         reiterated our concern in our March 2008 Semiannual        cede nonresponse follow-up (e.g., address canvass\xc2\xad\n         Report to Congress. Commerce\xe2\x80\x99s June 2008 amended           ing). In addition, Department and Census officials\n         FY 2009 budget submission to Congress included             decided on the following changes:\n         $10 million for \xe2\x80\x9cexploring options to most efficiently\n         incorporate fingerprinting into [the bureau\xe2\x80\x99s] overall       \xe2\x80\xa2\t\t Reduce the assumed travel time and distance\n         screening process.\xe2\x80\x9d According to the May cost esti\xc2\xad              for temporary employees\xe2\x80\x99 commuting to ad\xc2\xad\n         mate, Census will need $56 million for fingerprint\xc2\xad              ministrative sessions, which reduced the May\n         ing during FY 2009. The continuing uncertainty sur\xc2\xad              estimate for mileage reimbursement. However,\n         rounding fingerprinting plans increases operational              we note that neither the April nor May esti\xc2\xad\n         risks and makes it impossible to accurately estimate             mates for travel time and distance are support\xc2\xad\n         and budget for decennial operations.                             ed by benchmark data from Census 2000.\n                                                                      \xe2\x80\xa2\t Cut class sizes from 16 to 12, which shortened\n         Census shaves nearly $100 million                                the time examiners need to fingerprint the\n         from estimate in response to OIG                                 class.\n         analysis                                                     \xe2\x80\xa2\t\t Reduce the number of scanners needed for\n                                                                          scanning fingerprint cards and the fees paid to\n         Our review of the April 1 estimate found that the                the FBI for conducting the checks.\n         number was inflated by $46.1 million because Cen\xc2\xad            \xe2\x80\xa2\t\t Modify assumptions for handling personally\n         sus had double-counted certain administrative costs.             identifiable information, shipping the finger\xc2\xad\n         We also identified measures for reducing costs of                print cards, and hiring a contractor to train ex\xc2\xad\n         examiner training and fingerprinting kits, for another           aminers.\n         $53.5 million in savings. Specifically, we suggested\n         that the bureau hold several \xe2\x80\x9cadministrative\xe2\x80\x9d days,        These adjustments accounted for another $46.4 mil\xc2\xad\n         during which examiners fingerprint temporary hires,        lion reduction in the May estimate.\n         rather than just one such day as originally intended.\n         This would reduce the number of examiners and fin\xc2\xad         Additional savings may be possible\n         gerprinting kits needed, and thus reduce associated\n         training and materials costs. The examiners would          While the May projection was substantially lower than\n         fingerprint several groups of temporary staff over         the April one, we found that the estimate for process\xc2\xad\n         successive days and reuse their fingerprinting kits at     ing fingerprinting kits should have been $3.5 million\n         each session.                                              lower to reflect the purchase of fewer kits. We also\n                                                                    noted that costs for examiner training and scanning\n         Census\xe2\x80\x99s May estimate eliminated the double-counted        equipment could be cut further if the bureau adds\n         cost and assumed two administrative days, which cut        additional administrative days.\n         the number of examiners by about 60,000 and saved\n         $30.5 million in related training costs. It changed its\n         cost model assumptions to account for reusing fin\xc2\xad\n         gerprint kits, for a savings of $23 million.\n\n\n\n\n                                                               16\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress\t                                                   Economics and Statistics Administration\n\n\n\n\n       Our Recommendations                                             work concluded to determine whether continuous\n                                                                       monitoring was in fact having the desired effect of\n       We recommended that the Department and the Cen\xc2\xad                 mitigating the deficiencies we had identified. We found\n       sus Bureau do the following:                                    that it was: many of the problems noted in our C&A\n         1.\t Finalize plans and cost estimates for finger\xc2\xad             review had been corrected.\n             printing temporary workers during 2010 that\n             comply with all applicable legal requirements in          The results of our FISMA work at BEA and Census\n             order to reduce uncertainty and the associated            are summarized below.\n             operational and budget risks.\n         2.\t Assess the cost and operational implications of\n             processing fewer fingerprint kits, adding more            Testing Security Controls and\n             administrative sessions, and reducing the num\xc2\xad\n             ber of scanners required as more sessions are\n                                                                       Tracking Vulnerabilities Among\n             added.                                                    Weak Points in BEA Certification\n         3.\t Further evaluate the time and distance assump\xc2\xad            Process\n             tions required for travel to training locations to\n             ensure that they are consistent with available            BEA-EITS handles all of the bureau\xe2\x80\x99s mission-related\n             benchmark data from the 2000 decennial.                   information technology operations and data\xe2\x80\x94much\n                                                                       of which is of critical importance to the nation. Ac\xc2\xad\n       Bureau Response                                                 cording to its own description, BEA \xe2\x80\x9cproduces some\n                                                                       of the most closely watched U.S. economic statistics\n       Census officials stated that they, along with the De\xc2\xad           that influence critical financial decisions made by gov\xc2\xad\n       partment, have considered our recommendations and               ernments, businesses, and households.\xe2\x80\x9d BEA-EITS\n       made progress toward specifying the operational pro\xc2\xad            supports the agency\xe2\x80\x99s core business processes of col\xc2\xad\n       cedures and estimated costs of fingerprinting for the           lecting, analyzing, tabulating, and disseminating data.\n       2010 Census. (OIG-19058-1)\n                                                                       Our review found that the system security plan was\n                                                                       adequate to support the certification process. But the\n                                                                       resulting certification had a number of weaknesses:\n       FISMA Reviews at BEA and\n       Census Identified Certification                                   \xe2\x80\xa2\t  It lacked credible supporting evidence that se\xc2\xad\n       and Accreditation Weaknesses,                                         curity controls on system components were\n                                                                             properly tested to verify they were implement\xc2\xad\n       But Continuous Monitoring                                             ed correctly and operating as intended.\n       Leads to Improvements                                             \xe2\x80\xa2\t\t It did not include some significant system vul\xc2\xad\n                                                                             nerabilities in either the security assessment re\xc2\xad\n                                                                             port or in the agency\xe2\x80\x99s plan of action and mile\xc2\xad\n       To meet FY 2008 FISMA reporting requirements, we                      stones (POA&Ms) document.\n       evaluated the certification and accreditation of the\n       Bureau of Economic Analysis\xe2\x80\x99s Estimation Informa\xc2\xad               Our own assessment of a set of system components\n       tion Technology System (BEA-EITS), Census\xe2\x80\x99s Wire\xc2\xad               found significant security control weaknesses that\n       less Data Communications General Support System,                BEA\xe2\x80\x99s certification did not identify.\n       and the Field Data Collection Automation system. We\n       also tested selected security controls on BEA-EITS              We concluded that BEA needs to, among other things,\n       and the Wireless Data Communications system.                    improve security control assessments to (1) include\n                                                                       adequate detailed and credible validation of the as\xc2\xad\n       To gauge the impact of continuous monitoring\xe2\x80\x94a                  sessments\xe2\x80\x99 scope, procedures, and outcomes for spe\xc2\xad\n       process that is emphasized in the latest FISMA guid\xc2\xad            cific system components; (2) comply with Department\n       ance\xe2\x80\x94we revisited the BEA system after our C&A\n\n\n                                                                  17\n\x0cEconomics and Statistics Administration                                                                      September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n         policy and FISMA guidance for tracking and correct\xc2\xad                                      Improved Security Control As-\n         ing system security weaknesses; and (3) clearly articu\xc2\xad\n         late in the C&A documentation the vulnerabilities for\n                                                                                                  sessments Needed for Other-\n         which the bureau is accepting risk.                                                      wise Acceptable Census C&A\n                                                                                                  Process\n         Bureau Response\n                                                                                                  The Wireless Data Communications system enables\n         BEA did not specifically indicate whether it agreed                                      office automation, communications, file access, and\n         with our findings (with the exception of the need to                                     other services for approved wireless devices. The sys\xc2\xad\n         better track security weaknesses), and its proposed                                      tem comprises two wireless network domains: a secure\n         corrective actions are not fully responsive to our rec\xc2\xad                                  network that handles day-to-day business information\n         ommendations. The bureau did indicate its intention                                      and is restricted to sworn Census employees and a\n         to use our recommendations to improve BEA infor\xc2\xad                                         guest network that permits non-Census personnel to\n         mation security, and noted that it has improved its                                      access the Internet.\n         continuous monitoring program to ensure it assesses\n         the effectiveness of security controls on all system                                     Our review showed the system security plan was gen\xc2\xad\n         components. (OSE-19001)                                                                  erally adequate and certification assessments were\n                                                                                                  generally effective and comprehensive but some im\xc2\xad\n                                                                                                  provements were needed in both: several control de\xc2\xad\n                                                                                                  scriptions in the security plan did not fully address\n                      Why Is Continuous \n                                                         control requirements, some controls were inaccurately\n                     Monitoring Important?\n                                                       identified, and some assessment procedures were not\n           A critical aspect of the security authorization                                        sufficient to validate all control requirements.\n           process is the post-authorization period involv\xc2\xad\n           ing the continuous monitoring of an information                                        In addition, our own assessment of system compo\xc2\xad\n           system\xe2\x80\x99s security controls (including common                                           nents uncovered vulnerabilities in five areas that re\xc2\xad\n           controls).                                                                             quired remediation. We concluded that the certifica\xc2\xad\n                                                                                                  tion was sufficient for the authorizing official to make\n           The ultimate objective of the continuous moni\xc2\xad                                         a credible, risk-based decision to approve system op\xc2\xad\n           toring program is to determine if the security                                         eration, but Census needs to improve security control\n           controls in the information system continue to                                         assessments.\n           be effective over time in light of the inevitable\n           changes that occur in the system as well as the                                        Bureau Response\n           environment in which the system operates. Con\xc2\xad\n           tinuous monitoring is a proven technique to ad\xc2\xad                                        Census concurred with our recommendations but took\n           dress the security impacts on information systems                                      exception to four of the vulnerabilities we identified\n           resulting from changes to the hardware, software,                                      during our tests of system components. The bureau\n           firmware, or operational environment.                                                  contended that one of the four is not applicable to the\n                                                                                                  system, but we disagreed and reiterated our recom\xc2\xad\n                                                                                                  mendation that it be remediated. Census stated that\n                                                         NIST Special Publication 800-37\n                           Guide for Security Authorization of Federal Information Systems\n                                                                                                  the remaining three\xe2\x80\x94which pertain to system access,\n                                                           A Security Life Cycle Approach         user identification and authentication, and audit logs\n                                                                             August 2008\n                                                                                                  of system activity\xe2\x80\x94cannot be remediated because the\n                                                                                                  system cannot support the necessary changes. How\xc2\xad\n                                                                                                  ever, the bureau subsequently agreed that one of the\n                                                                                                  three could be resolved and indicated it is taking steps\n                                                                                                  to do so. We again reiterated the need for addressing\n                                                                                                  the other two in order to optimize the system\xe2\x80\x99s secu\xc2\xad\n                                                                                                  rity status. (OSE-19163)\n\n\n                                                                                             18\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                                Economics and Statistics Administration\n\n\n\n\n       Inadequate C&A for Field Data                               We recommended that Census ensure certification\n                                                                   and accreditation do not commence until the security\n       Collection Automation System                                plan has been approved, secure configuration settings\n                                                                   for all system components are defined and evaluated,\n       We evaluated the certification and accreditation of         all security controls tested according to applicable\n       the FDCA system as configured to support address            procedures, and identified vulnerabilities reported and\n       canvassing during FY 2008 dress rehearsal operations.       tracked on the system POA&M.\n       This C&A is the first of at least three that Census will\n       complete before the system\xe2\x80\x99s final configuration for        Bureau Response\n       the 2010 decennial.\n                                                                   The Census Bureau concurred with our recommenda\xc2\xad\n       We found the system security plan was generally ad\xc2\xad         tions and described corrective actions to resolve them.\n       equate but the bureau began certification assessments       (OSE-19164)\n       several months before the plan had been approved. We\n       also found the bureau had not defined secure configu\xc2\xad\n       ration settings for a number of system components,\n       had not evaluated established settings for others, and\n       did not test several security controls. Finally, vulner\xc2\xad\n       abilities discovered during the C&A process were not\n       included in either the security assessment report or\n       the plan of action and milestones, which means the\n       authorizing official approved the system\xe2\x80\x99s operation\n       without complete, accurate information regarding its\n       security status.\n\n\n\n\n                                                                  19\n\x0cPhoto Courtesy NOAA/National Undersea Research Program\n\nNOAA researchers preparing to drill into a coral reef\nto study climate over the past 20,000 years.\n\x0c                                                                            ATMOSPHER\n                                                                        AND          IC\n                                                                   IC                   A    D\n                                                                AN\n\n\n\n\n                                                                                             MI\n                                                    CE\n\n\n\n\n                                                                                               NIS\n                                                      LO\n\n\n\n\n                                                                                                   TRA\n                                               NATIONA\n\n\n\n\n                                                                                                      T\n                                                                                                     ION\n                                                           S.\n\n\n\n\n                                                    U.\n\n\n\n\n                                                                                             CE\n                                                                DE                               R\n                                                                     PA R                   ME\n                                                                          T   MENT OF COM\n\n\n\n\n   NATIONAL OCEANIC AND\nATMOSPHERIC ADMINISTRATION\n\nT       he National Oceanic and Atmospheric Administration studies climate and global change; ensures\n        the protection of coastal oceans and the management of marine resources; provides weather services;\n        and manages worldwide environmental data. NOAA does this through the following organizations:\n\nNational Weather Service reports the weather of the United States and provides weather forecasts and warnings\nto the general public.\n\nNational Ocean Service provides products, services, and information that promote safe navigation, support\ncoastal communities, sustain marine ecosystems, and mitigate coastal hazards.\n\nNational Marine Fisheries Service is dedicated to the stewardship of living marine resources through science-\nbased conservation and management, and the promotion of healthy ecosystems.\n\nNational Environmental Satellite, Data, and Information Service observes the environment by operating a national\nsatellite system.\n\nOffice of Oceanic and Atmospheric Research conducts environmental research, provides scientific information\nand research leadership, and transfers research into products and services to help NOAA meet the evolving\neconomic, social, and environmental needs of the nation.\n\nOffice of Program Planning and Integration develops and coordinates NOAA\xe2\x80\x99s strategic plan, supports organiza-\ntion-wide planning activities, guides managers and employees on program and performance management, and\nintegrates policy analyses with decision-making.\n\n\nData Buoy System Found to Have                                                      buoys and Coastal Marine Automated Network, or\n                                                                                    C-MAN, stations; (2) Deep-Ocean Assessment and\nDeclining Data Availability and                                                     Reporting of Tsunami (DART) buoys; and (3) Tropi\xc2\xad\nIneffective Contracting Practices                                                   cal Atmosphere and Ocean (TAO) buoys. The latter\n                                                                                    two systems were developed and formerly operated\n                                                                                    by NOAA\xe2\x80\x99s Pacific Marine Environment Laboratory\nNWS\xe2\x80\x99 National Data Buoy Center (NDBC) operates                                      (PMEL).\nthree major buoy systems and a network of coastal\nmarine observing stations that provide critical data                                In 2005, NDBC signed an indefinite-delivery indefi\xc2\xad\non oceanic and atmospheric conditions for weather                                   nite-quantity contract with Science Applications Inter\xc2\xad\nforecasters, oceanographers, commercial fishers, and                                national Corporation (SAIC) to operate and maintain\nothers. The systems consist of (1) off-shore weather\n\n\n                                                                               21\n\x0cNational Oceanic and Atmospheric Administration                                                             September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n                                                                                                Unsuccessful repair calls\n\n                                                                                                Frequent unsuccessful service visits complicate the\n                                                                                                center\xe2\x80\x99s efforts to maintain data availability. Coast\n                                                                                                Guard records indicated that between July 2005 and\n                                                                                                July 2007, 51 of 101 weather buoys received multiple\n                                                                                                service visits, with the average interval between visits\n                                                                                                only 107 days. Contractor error resulted in unsuccess\xc2\xad\n                                                                                                ful service outcomes for approximately 18 percent of\n                                                                                                the service visits in our sample. Factors such as in\xc2\xad\n                                                                                                complete records and inadequate training contributed\n                                                                                                to these errors. NDBC should work with its contrac\xc2\xad\n                                                                                                tor to address these issues and reduce the number of\n                                                                                                unsuccessful service visits.\n                                                   US Coast Guard photo by Tyler Johnson\n\n        A runaway NOAA weather buoy is recovered by the USCGC Ironwood\n                                                                                                Unclear ship transit requirements\n        after it drifted for six months in the Gulf of Alaska. The buoy will be\n        repaired and returned to its station roughly 300 miles southwest of Kodiak              Both center and contractor personnel claimed that\n        Island.                                                                                 maintenance and repair efforts are further compli\xc2\xad\n                                                                                                cated by insufficient Coast Guard ship transport.\n        the buoy networks. The contract has a $500 million                                      But NDBC could not document this shortage or cite\n        ceiling, with a 5-year base term and the possibility of                                 specific cases in which ship transit requests had been\n        five 1-year extensions. The U.S. Coast Guard provides                                   denied. And we found that the center was unsure of\n        the center with ship transit to the weather buoys for                                   its exact ship transit needs because it had not clearly\n        repair and maintenance, under the terms of a 1993                                       defined what service intervals are required to main\xc2\xad\n        memorandum of understanding. NDBC leases pri\xc2\xad                                           tain data availability and had not fully utilized available\n        vately owned vessels to service the DART buoys and                                      Coast Guard resources.\n        uses a NOAA ship to service the TAO buoys.\n                                                                                                We recommended that the center and its contractor\n        We evaluated (1) the center\xe2\x80\x99s maintenance and repair                                    (1) more clearly define required service schedules, (2)\n        operations for the buoys; (2) the adequacy and reli\xc2\xad                                    better coordinate ship transit needs with the Coast\n        ability of the buoy data; (3) the structure and admin\xc2\xad                                  Guard, and (3) identify and prioritize its inventory de\xc2\xad\n        istration of the support services contract; and (4) the                                 ficiencies and take action to address them.\n        transfer of the TAO and DART programs to NDBC.\n        Our observations are as follows:                                                        Deployment of untested equipment\n\n        Declining availability of data from                                                     We also found that NDBC deployed new oceano\xc2\xad\n        weather buoys                                                                           graphic sensors without adequately testing them to\n                                                                                                ensure they work properly, and two of the three types\n        Though the center has historically met or exceeded                                      deployed\xe2\x80\x94current and salinity sensors\xe2\x80\x94proved to\n        its performance goals for the systems, weather buoy                                     be unreliable. Less than a third of these sensors were\n        performance fell off sharply after August 2006. Data                                    functioning at the time of our review, and NDBC will\n        availability\xe2\x80\x94the percentage of time that a typical buoy                                 have to make adjustments to the 27 separate platforms\n        is operating properly and providing data\xe2\x80\x94reached a                                      on which the sensors were installed. In the future,\n        3-year low of 71.7 percent in April 2007\xe2\x80\x94almost 19                                      NDBC should test new sensors on a limited number\n        percentage points below the 10-year average and more                                    of buoys before widely deploying them.\n        than 13 percentage points below the performance\n        goal.\n\n\n\n                                                                                           22\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                               National Oceanic and Atmospheric Administration\n\n\n\n       Structure of contract incentives needs                          began the TAO transition in 2005. Both transitions\n       to be improved                                                  were problematic and NOAA oversight during the\n                                                                       transitions was inadequate. In the case of DART, the\n       In order to provide a performance incentive for the             center was not sufficiently prepared to fully support\n       contractor, the center\xe2\x80\x99s contract with SAIC allows for          the buoys: NOAA had not clearly defined data col\xc2\xad\n       the extension of the contract term beyond the 5-year            lection requirements and the center did not have the\n       base. However, the contract does not clearly define             technical capabilities to collect certain information.\n       this provision and does not establish the prices of ser\xc2\xad        These problems, among other things, contributed to\n       vices to be delivered after the 5-year base term. NDBC          the loss of important observational data on the 2004\n       should address the ambiguity and pricing issues. It             Sumatra tsunami.\n       should also obtain an opinion from the Department\xe2\x80\x99s\n       Office of General Counsel on the permissibility of              For TAO, the center did not receive needed mainte\xc2\xad\n       the extension or recompete the contract before the              nance documentation and technical specifications, or\n       expiration of the base term.                                    enough funding to complete a required technology re\xc2\xad\n                                                                       fresh. NOAA also did not provide adequate resources\n       The contract\xe2\x80\x99s questionable award-term provision is             to support data collection and dual operations at both\n       in part a reflection of the lack of departmental guid\xc2\xad          PMEL and NDBC during the transition period. In\n       ance on the use of award-term incentives. Commerce              addition, NOAA researchers have been concerned\n       needs to prepare guidance for its contracting officers          about NDBC\xe2\x80\x99s ability and willingness to make needed\n       on award-term contracts and issue an administrative             system modifications to meet evolving data require\xc2\xad\n       order clarifying the policies and procedures for its Ac\xc2\xad        ments.\n       quisition Review Board.\n                                                                       Despite the transitions, PMEL has been planning en\xc2\xad\n       The contract\xe2\x80\x99s fee scale does not promote superior              hancements for the two systems to meet various data\n       performance: differences in award amounts for per\xc2\xad\n       formance rated unsatisfactory through outstanding\n       are insignificant. NDBC should adjust fees to maxi\xc2\xad\n       mize their effect on contractor performance, as per\xc2\xad\n       mitted by the terms of the existing contract.\n\n       Inconsistent performance metrics\n\n       Performance metrics for the contractor often do\n       not give appropriate weight to the center\xe2\x80\x99s core data\n       availability goal and sometimes hold the contractor\n       accountable for goals that differ from those of the\n       center. NDBC has also not adequately disclosed all\n       metrics and in some cases has been late in communi\xc2\xad\n       cating them to the contractor. The center needs to en\xc2\xad\n       sure performance metrics are consistent with its own,\n       and communicate them to the contractor in a timely\n       manner.\n\n       Difficulties transitioning DART and                                                                                                        NOAA\n       TAO buoy systems\n                                                                       A repair technician services a TAO buoy deep in the Pacific Ocean.\n                                                                       NOAA maintains approximately 55 TAO buoys throughout the equato\xc2\xad\n       NOAA transitioned the DART buoys from PMEL to                   rial Pacific, enabling scientists to collect real-time, high-quality oceanographic\n       the center over the course of 2 years (2001-03) and             and meteorological data for monitoring, forecasting, and understanding\n                                                                       climate swings associated with El Ni\xc3\xb1o and La Ni\xc3\xb1a.\n\n\n\n                                                                  23\n\x0cNational Oceanic and Atmospheric Administration                                     September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n        collection goals, and the center has similar projects un\xc2\xad    the use of incentives in government contracting and\n        der way as well. Although the two are aware of each          expects Commerce-specific guidance to be developed\n        other\xe2\x80\x99s research efforts, they have not worked together      in tandem with this effort. He also noted the Depart\xc2\xad\n        or consulted each other on the scope and objectives          ment is refining the role and structure of its acquisi\xc2\xad\n        of their projects.                                           tion board in conjunction with developing a Depart\xc2\xad\n                                                                     ment-level Investment Review Board, and a DAO\n        In future transitions, NOAA management should en\xc2\xad            addressing both is forthcoming. (IPE-18585)\n        sure that (1) the center develops a process to respond\n        to emerging data requirements; (2) NOAA research\n        organizations document the technical specifications\n        and maintenance procedures of research systems; and          Joint Enforcement Agreements\n        (3) NOAA updates its administrative order on tran\xc2\xad           Fall Short of Protection Potential\n        sitions to address issues arising from the DART and\n        TAO transitions.\n                                                                     We assessed the efforts of the National Marine Fish\xc2\xad\n                                                                     eries Service\xe2\x80\x99s Office for Law Enforcement (OLE) to\n        Finally, NOAA needs to foster improved internal\n                                                                     target living marine resource violations through the\n        communication and cooperation on research and de\xc2\xad\n                                                                     joint enforcement agreement (JEA) program. OLE re\xc2\xad\n        velopment projects, such as those being conducted by\n                                                                     lies on the U.S. Coast Guard and coastal state1 marine\n        PMEL and NDBC, to prevent duplication and ensure\n                                                                     enforcement agencies for help enforcing federal fish\xc2\xad\n        that individual design specifications consider the needs\n                                                                     eries regulations within the 200 miles of U.S. coastline\n        of all relevant organizations as appropriate.\n                                                                     known as the U.S. Exclusive Economic Zone (EEZ).\n                                                                     It uses joint enforcement agreements to transfer fed\xc2\xad\n        Response from NOAA and the                                   eral dollars to its state partners to fund their federal\n        Department                                                   enforcement activities.\n\n        NOAA concurred with all of our recommendations.              We had looked at the JEA program in 20032 and iden\xc2\xad\n        Among other things, the National Data Buoy Center            tified a number of needed improvements. We revis\xc2\xad\n        now develops site-specific field service plans, conducts     ited the program during this semiannual period and\n        pre-trip planning meetings, tracks the outcome of the        noted some progress, but found several deficiencies\n        contractor\xe2\x80\x99s buoy repair calls and has established a         that prevent NOAA from maximizing the benefits of\n        comprehensive training program for technicians. It           its partnerships with the states. Our specific findings\n        also is documenting standard procedures for on-site          are as follows:\n        visits, improving coordination and information-shar\xc2\xad\n        ing with the Coast Guard, and implementing stron\xc2\xad            JEA Activities Need to Be More\n        ger inventory control processes. NOAA reports that           Closely Monitored\n        it has improved its fee scale to provide the contractor\n        with greater performance incentives, obtained a legal        In our March 2003 report, we recommended that OLE\n        review of the contract term, and reevaluated perfor\xc2\xad         divisions regularly verify state-reported enforcement\n        mance metrics.                                               activities and expenditures, and OLE headquarters\n                                                                     conduct on-site reviews to confirm a partner\xe2\x80\x99s accom\xc2\xad\n        Regarding our two recommendations to the Depart-             plishments and internal controls over program funds.\n        ment\xe2\x80\x94that it issue guidance on the proper use of             OLE has since developed a Cooperative Enforcement\n        award-term incentives, and prepare a Departmental            Program Manual and initiated performance reviews.\n        Administrative Order clarifying the role and authori\xc2\xad        But the office has yet to (1) institute an adequate di\xc2\xad\n        ties of the Commerce Acquisition Board\xe2\x80\x94the Chief             1\t\n                                                                          The term \xe2\x80\x9cstate\xe2\x80\x9d also includes \xe2\x80\x9cterritory\xe2\x80\x9d and \xe2\x80\x9ccommon\xc2\xad\n        Financial Officer and Assistant Secretary for Admin\xc2\xad              wealth.\xe2\x80\x9d\n        istration reported that the Department is participating      2\t\n                                                                          NMFS Should Take a Number of Actions to Strengthen Fisheries En\xc2\xad\n        in an interagency task force to develop guidelines on             forcement (IPE-15154/March 2003).\n\n\n\n\n                                                                24\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                                                  National Oceanic and Atmospheric Administration\n\n\n\n                                                                                       We recommended that OLE develop a strategy for\n                                                                                       reviewing all partner programs that prioritizes the or\xc2\xad\n                                                                                       der in which it assesses them, verifies and evaluates a\n                                                                                       program\xe2\x80\x99s internal controls and accomplishments, and\n                                                                                       reports results to state JEA officials in a timely man\xc2\xad\n                                                                                       ner.\n\n                                                                                       Use of Summary Settlements Is Lim-\n                                                                                       ited and Loosely Managed\n\n                                                                                       The summary settlement system was designed to pro\xc2\xad\n                                                                                       cess minor federal fishery violations efficiently by al\xc2\xad\n                                                                                       lowing enforcement officials in the field to issue tick\xc2\xad\n                                                                                       ets on the spot and giving violators the opportunity to\n                                                        NMFS Office Law Enforcement    pay a reduced penalty within a specified time period, in\n                                                                                       lieu of contesting an alleged violation and possibly go\xc2\xad\n       Coast Guard and NOAA agents oversee crewmembers offloading their                ing to court. If the party chooses not to pay the fine,\n       catch. Partnering with the Coast Guard and state enforcement agencies has\n       enhanced NOAA\xe2\x80\x99s ability to enforce fisheries regulations through at-sea\n                                                                                       the case is forwarded for prosecution to NOAA\xe2\x80\x99s Of\xc2\xad\n       patrols and dockside inspections.                                               fice of General Counsel for Enforcement and Litiga\xc2\xad\n                                                                                       tion (GCEL). Because summary settlements are a type\n       vision-level program that fully and regularly verifies                          of civil penalty, law enforcement entities must receive\n       state-reported activities or (2) conduct headquarters                           authority to use them from GCEL.\n       performance reviews of most JEA partners.\n\n       Division-level reviews\n\n       Most OLE managers we spoke with stated that the\n       divisions lack resources to improve monitoring. How\xc2\xad\n       ever, five of the six division JEA coordinator posi\xc2\xad\n       tions are fully funded by the JEA program, yet none\n       of the coordinators works full time on JEA activities.\n       Because the program accounts for a substantial por\xc2\xad\n       tion of OLE\xe2\x80\x99s federal fishery enforcement funding,\n       we recommended that OLE ensure JEA coordinators\n       dedicate 100 percent of their time to it. Additionally,\n       OLE special agents in charge should regularly verify\n       partner activities in order to tie program funding deci\xc2\xad\n       sions to partner performance.\n\n       Headquarters reviews\n\n       OLE headquarters initiated independent reviews of                                                                                    NMFS Office Law Enforcement\n       program partners in September 2006, and to date has\n       reviewed 10 of the 27 states receiving JEA funds. But                               A deputized fisheries enforcement agent patrols protected waters looking for\n       it has reported its findings to only 6 of the 10, even                              fisheries violations.\n       though the remaining 4 reviews were completed more\n       than a year ago. We found that OLE has no set time\n       frame for reporting its results to the JEA partner upon\n       completion of reviews.\n\n\n                                                                                      25\n\x0cNational Oceanic and Atmospheric Administration                                September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n        Few partners authorized to use summary                      NOAA Response\n        settlements\n                                                                    NOAA agreed with all of our recommendations and\n        We found that only 3 of the 27 JEA partner states           reported a series of actions it plans to take to imple\xc2\xad\n        have authority to issue summary settlements. Some           ment them. (IPE-19050)\n        GCEL attorneys are resistant to extending this au\xc2\xad\n        thority to more partners because they are concerned\n        their caseloads will increase with an influx of unpaid\n        or appealed tickets requiring litigation. But GCEL has\n                                                                    C&A Weaknesses Identified for\n        not conducted any type of assessment to validate this       NOAA Systems, But Some\n        concern.\n                                                                    Improvements Were Made\n        OLE indicated that it plans to collaborate with GCEL        Through Continuous Monitoring\n        and JEA partners to determine the most strategic use\n        of summary settlement authority. We support this ef\xc2\xad\n        fort and recommended that OLE and GCEL develop              As part of our 2008 FISMA work, we evaluated the\n        specific criteria or guidelines for determining where       C&A process for four NOAA systems: the National\n        and how the summary settlement system should be             Weather Service\xe2\x80\x99s Telecommunication Gateway and\n        used.                                                       its International Satellite Communications System\n                                                                    Data Acquisition and Delivery Network; the National\n        No documented process for making                            Marine Fisheries Service\xe2\x80\x99s Science and Technology\n        and managing delegations of summary                         System, and the Satellite Environmental Process\xc2\xad\n        settlement authority                                        ing System operated by the National Environmental\n                                                                    Satellite, Data, and Information Service (NESDIS).\n        GCEL lacks formal policies and procedures governing         We also tested selected security controls on the NWS\n        how partners should receive and use summary settle\xc2\xad         Telecommunication Gateway and the NMFS Science\n        ment authority. As a result, we found that at least five    and Technology System.\n        states had been incorrectly told by OLE that they had\n        summary settlement authority. OLE mistakenly be\xc2\xad            As we had done at BEA, we revisited three NOAA\n        lieved that GCEL\xe2\x80\x99s delegation of authority automati\xc2\xad        systems\xe2\x80\x94the Gateway, International Satellite Com\xc2\xad\n        cally applied to JEA partners via their deputization to     munications, and Science and Satellite Technology\n        enforce federal fishery statutes. As our review was in      systems\xe2\x80\x94after our C&A work had concluded to de\xc2\xad\n        progress, GCEL instructed OLE to advise the states          termine whether continuous monitoring was in fact\n        to stop issuing summary settlements because they had        having the desired effect. In the case of Gateway, we\n        not been delegated this authority.                          found that NOAA had recertified the system and that\n                                                                    the control assessments we reviewed were rigorous\n        For the three states that did receive delegation of         and supported by adequate evidence. For the Interna\xc2\xad\n        authority, we found very limited documentation sup\xc2\xad         tional Satellite system, NOAA provided evidence of\n        porting the action\xe2\x80\x94there is some electronic mail            improvements to the security control assessments that\n        traffic between GCEL and OLE and OLE and state              occurred as part of its continuous monitoring pro\xc2\xad\n        partners related to the two recent delegations, but no      gram. We found continuous monitoring for the Sci\xc2\xad\n        documentation for the remaining one.                        ence and Technology system to be ineffective.\n\n        We recommended that GCEL establish national poli\xc2\xad           The results of our FISMA work at NOAA are sum\xc2\xad\n        cies and procedures for making and managing delega\xc2\xad         marized below.\n        tions of summary settlement authority. These should\n        include requirements for maintaining written docu\xc2\xad\n        mentation of delegation decisions and providing writ\xc2\xad\n        ten notification of these decisions to JEA partners.\n\n\n                                                               26\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                     National Oceanic and Atmospheric Administration\n\n\n\n       National Weather Service\xe2\x80\x99s\n       Gateway System Certification\n       Assessments Were Deficient, But\n       NOAA Took Action to Improve\n       Them\n       The gateway system collects, processes, and dissemi\xc2\xad\n       nates national and international meteorological data\n       and products in real time. The system interconnects\n       with numerous other systems worldwide, and its data\n       is used by other government agencies, the private sec\xc2\xad      system\xe2\x80\x99s plan of action and milestones and remediate\n       tor, and the general public.                                them in a timely manner, as well as ensure system se\xc2\xad\n                                                                   curity plans are approved prior to certification; secure\n       We found that NWS began certifying the system be\xc2\xad           configurations are defined and implemented on all\n       fore it had adequately defined security controls in the     IT products; and assessments test controls on all ap\xc2\xad\n       system security plan or gotten formal review and ap\xc2\xad        plicable system components according to applicable\n       proval of the plan, resulting in an ineffective C&A         procedures.\n       process. In fact, the plan was approved on the same\n       date as the system was accredited, which means dur\xc2\xad         NOAA Response\n       ing the course of the certification, certifiers lacked\n       the information they needed to effectively assess con\xc2\xad      NOAA agreed with all but one of our findings, not\xc2\xad\n       trols: the plan they were using contained incomplete        ing that the system security plan had been favorably\n       specifications for security control enhancements and        reviewed by the NWS information security officer\n       parameters, and it incorrectly identified a number of       and approving official prior to certification, though\n       physical and environmental security controls.               not signed. NOAA described actions that are fully re\xc2\xad\n                                                                   sponsive to our recommendations. (OSE-19000)\n       In addition, we found that NWS did not test secure\n       configuration settings for any system-related IT prod\xc2\xad\n       ucts (e.g., servers, desktops, routers, switches) and in    Significant Weaknesses Evident\n       some cases had not even defined these settings. We also\n                                                                   in C&A for International Satel-\n       found that certification assessments were incomplete\n       and flawed\xe2\x80\x94the C&A documentation lacked evidence            lite System, But Improvements\n       of security control testing on several system compo\xc2\xad        Made Through Continuous\n       nents and applications. In some cases, the assessment       Monitoring\n       erroneously indicated that certain procedural steps for\n       control assessments were related to NOAA common             The International Satellite Communications System\n       controls (controls applicable to a number of systems).      Data Acquisition and Delivery Network is a complex\n       In others, test results were inappropriately based on       wide area and satellite network designed to distribute\n       interviews and document reviews or other improper           critical weather data to remote sites across the globe.\n       procedures, contained inconsistent evidence, or did         The network consists of three earth stations, four\n       not describe vulnerabilities discovered.                    contractor operations centers, and one NOAA loca\xc2\xad\n                                                                   tion. A contractor has owned and operated the system\n       Finally, in our own evaluation of a set of system com\xc2\xad      on behalf of NOAA since 2003, but it was granted its\n       ponents we found significant control weaknesses not         first authorization to operate in March 2007.\n       identified in the NWS security certification.\n                                                                   A September 2006 OIG report, Additional Steps Are\n       We recommended that NOAA, among other things,               Necessary to Provide Better Oversight of Contractor Infor\xc2\xad\n       promptly add the deficiencies we identified to the\n\n\n                                                                  27\n\x0cNational Oceanic and Atmospheric Administration                                     September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n                                                                         In performing the initial certification and accredita\xc2\xad\n                  What Is a Certification and                            tion, NOAA and the contractor were essentially \xe2\x80\x9cstart\xc2\xad\n                   Accreditation Package?                                ing from scratch\xe2\x80\x9d in meeting FISMA requirements:\n                                                                         the system had no defined accreditation boundary\xe2\x80\x94\n           Security certification and accreditation packages con\xc2\xad\n           tain three elements, which form the basis of an autho\xc2\xad        that is, no inventory of all system resources to be ad\xc2\xad\n           rizing official\xe2\x80\x99s decision to accredit a system.              dressed in the C&A. There was also no security plan,\n                                                                         and no specified security requirements and control\n           1.\t The system security plan describes the system,            implementations. Secure configuration baselines were\n               the requirements for security controls, and               not defined for IT products.\n               the details of how the requirements are be\xc2\xad\n               ing met. The security plan provides a basis               Our evaluation found that key C&A planning activities\n               for assessing security controls also includes             were not adequate or appropriate: though NOAA had\n               other documents such as the system risk as\xc2\xad               defined a security boundary, it was incomplete and in\n               sessment and contingency plan, per Depart\xc2\xad                some cases inaccurate. System descriptions were de\xc2\xad\n               ment policy.                                              ficient and remained so at the time of our review\xe2\x80\x94\n           2.\t The security assessment report presents the re\xc2\xad           more than a year after the system was authorized to\n               sults of the security assessment and recom\xc2\xad               operate. We also found that the same individuals both\n               mendations for correcting control deficien\xc2\xad               developed the security plan and assessed security con\xc2\xad\n               cies or mitigating identified vulnerabilities.            trols, contrary to NIST requirements that these duties\n               This report is prepared by the certification              be separated.\n               agent.\n           3.\t The plan of action & milestones is based on the           None of the significant deficiencies identified during\n               results of the security assessment. It docu\xc2\xad              certification were properly listed on a plan of action\n               ments actions taken or planned to address                 and milestones. Even after the plan was developed,\n               remaining vulnerabilities in the system.                  NOAA did not submit it for more than a year after au\xc2\xad\n                                                                         thorizing the system to operate, which prevented both\n                                                                         the Department and OMB from properly tracking the\n        mation Security (Report No. OSE-18028), found that               deficiencies\xe2\x80\x99 resolution in the interim.\n        NOAA was not applying FISMA and Commerce IT\n        security requirements to some of its contractor-man\xc2\xad             Finally, letters justifying the accreditation decision in\xc2\xad\n        aged information technology systems. So NOAA                     correctly asserted that security controls were in place\n        subsequently decided the international satellite sys\xc2\xad            and a timetable for addressing vulnerabilities had been\n        tem should meet those requirements and initiated the             established.\n        certification and accreditation process that resulted in\n        the 2007 authorization. NOAA\xe2\x80\x99s service contract for              We recommended that NOAA properly define the ac\xc2\xad\n        the system did not include the Department-mandated               creditation boundary and security controls in the sys\xc2\xad\n        IT security clauses requiring a contractor\xe2\x80\x99s compliance          tem security plan, the authorizing official approve the\n        with Commerce and FISMA requirements. NOAA                       system security plan in accordance with NIST guid\xc2\xad\n        told us that that its contractor was initially resistant         ance, and the certification agent not be involved in se\xc2\xad\n        to adding these clauses because of cost and liability            curity planning activities. We also recommended that\n        concerns. As a result, the agency devised an alterna\xc2\xad            NOAA set completion dates for resolving weaknesses\n        tive contractual agreement to allow the contractor to            and submit the system POA&M to the Department in\n        conduct the C&A, with agreement by both parties to               accordance with policy.\n        subsequently add the IT security clauses and jointly\n        manage the information system security. NOAA offi\xc2\xad               NOAA Response\n        cials told us they viewed the C&A as an initial audit of\n        the system, and as an opportunity for the contractor             NOAA officials generally agreed with our findings and\n        to understand FISMA requirements.                                recommendations and described corrective actions to\n                                                                         address them. (OSE-19166)\n\n\n                                                                    28\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                      National Oceanic and Atmospheric Administration\n\n\n\n\n       Widespread Weaknesses in C&A\n                                                                      Additional Commerce Requirements\n       for NMFS Science and Technol-\n                                                                     Commerce\xe2\x80\x99s IT Security Program Policy and\n       ogy System                                                    Minimum Implementation Standards requires\n                                                                     that C&A documentation contain supporting \n\n       The Science and Technology System processes com\xc2\xad              evidence of the adequacy of the security assess\xc2\xad\n       plex scientific and general data for the National Ma\xc2\xad         ment. Two important components of this docu\xc2\xad\n       rine Fisheries Service, and supports an array of agency       mentation are:\n\n       operations and research\xe2\x80\x94data and information man\xc2\xad\n       agement, fisheries surveys, and stock assessments,            1.\t the certification test plan, which documents the \n\n       to name a few. NMFS Science and Technology staff                  scope and procedures for testing (assessing) \n\n       manages the system, but various information owners                the system\xe2\x80\x99s ability to meet control require\n\xc2\xad\n       within NMFS manage the system\xe2\x80\x99s applications and                  ments; and\n       are responsible for related security controls.                2.\t the certification test results, which is the raw data \n\n                                                                         collected during the assessment.\n \n\n       Our FISMA review of this system identified wide\xc2\xad\n       spread weaknesses in the C&A process:\n                                                                   security program in the months since the system\xe2\x80\x99s ac\xc2\xad\n         \xe2\x80\xa2\t   The security plan did not provide an adequate        creditation may have addressed many of our concerns.\n              basis for certification and accreditation.           The bureau also indicated that it is working with the\n         \xe2\x80\xa2\t   The certification team did not adequately assess     Department to deploy the Cyber Security Assessment\n              controls.                                            and Management (CSAM) tool that it believes will fur\xc2\xad\n         \xe2\x80\xa2\t   The system plan of action and milestones did         ther address our recommendations.\n              not report known vulnerabilities and was not\n              submitted to the Department as required by           However, our check of subsequent security materials\n              policy.                                              and activities indicate that the revised NMFS security\n                                                                   program still falls short of meeting minimum security\n       Our own assessment of certain system components             requirements\xe2\x80\x94a situation confirmed by the results of\n       found weaknesses in a number of operational and             continuous monitoring. While we do believe CSAM\n       technical controls requiring remediation.                   will enable NOAA to better comply with FISMA and\n                                                                   Department IT security policy requirements, we re\xc2\xad\n       We concluded that the authorizing official lacked suffi\xc2\xad    main concerned that NOAA management is giving\n       cient information about system vulnerabilities to make      insufficient attention to IT security at NMFS. (OSE\xc2\xad\n       a credible, risk-based decision on whether to accredit      19165)\n       the system.\n\n       We advised NOAA to improve security planning to             NESDIS System Did Not Comply\n       include all information required by the Department\xe2\x80\x99s\n       IT security policy and NIST guidance; ensure that the       with Department IT Security\n       system\xe2\x80\x99s security certification is based on a rigorous      Requirements\n       assessment of controls; report known vulnerabili\xc2\xad\n       ties\xe2\x80\x94including those we identified in our own test-         The Satellite Environmental Processing System\n       ing\xe2\x80\x94on the system plan of action and milestones and         (SATEPS) collects, processes, stores, and disseminates\n       submit the plan to the Department OCIO.                     global weather satellite data for foreign and domestic\n                                                                   users.\n       NOAA Response\n                                                                   We selected SATEPS for review because according\n       NOAA generally concurred with our findings and              to the Department\xe2\x80\x99s information system inventory,\n       recommendations, noting changes to the NMFS IT              it had been recently accredited, with an authorization\n\n\n                                                              29\n\x0cNational Oceanic and Atmospheric Administration                                September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n         learned this information was incorrect. SATEPS was          SATEPS was finally decommissioned in February\n         scheduled to be decommissioned prior to September           2008. In light of the security lapses the agency per\xc2\xad\n         22, 2007, when its last authorization to operate would      mitted while the system was active, we recommended\n         have expired. But decommissioning was delayed, so           that NOAA officials give NESDIS systems appropri\xc2\xad\n         NESDIS extended the original authorization rather           ate management attention and ensure all systems are\n         than initiate a new certification and accreditation pro\xc2\xad    operating in full compliance with the Department\xe2\x80\x99s IT\n         cess.                                                       security policy.\n\n         Our evaluation found that SATEPS operated for at            NOAA Response\n         least 2 years with significant deviations from manda\xc2\xad\n         tory security requirements\xe2\x80\x94most notably, the sys\xc2\xad           NOAA officials generally agreed with our findings\n         tem\xe2\x80\x99s security plan had not been updated since June         and recommendations, noting the deployment of the\n         2005 and a number of required security controls were        Cyber Security Assessment and Management tool will\n         not in place. NESDIS did not seek waivers from the          play a significant part in addressing our recommenda\xc2\xad\n         Department to forgo these requirements, even though         tions. (OSE-19167)\n         Commerce IT security policy obligates agencies to\n         do so. Despite significant deficiencies with SATEPS\xe2\x80\x99\n         security controls, we found the authorizing official\n         received sufficient information to make a credible,\n         risk-based decision to extend SATEPS authorization\n         to operate.\n\n\n\n\n                                                                30\n\x0c     UNITED STATES PATENT AND \n\n        TRADEMARK OFFICE\n\t\n\nT       he United States Patent and Trademark Office administers the nation\xe2\x80\x99s patent and trademark laws.\n        Patents are granted and trademarks registered under a system intended to provide incentives to invent,\n        invest in research, commercialize new technology, and draw attention to inventions that would oth-\nerwise go unnoticed. USPTO also collects, assembles, publishes, and disseminates technological information\ndisclosed in patents.\n\n\n\n\nComprehensive Operating Plan                              We evaluated the attach\xc3\xa9 program to learn whether\n                                                          its objectives are adequate and how the attach\xc3\xa9s work\nNeeded for Overseas Intellectual                          with other government agencies. We also looked at\nProperty Rights Attach\xc3\xa9 Program                           USPTO\xe2\x80\x99s attach\xc3\xa9 recruitment process, training, and\n                                                          terms of appointment, as well as the agency\xe2\x80\x99s method\n                                                          of placing attach\xc3\xa9s in posts.\nTheft of intellectual property rights\xe2\x80\x94copyrights,\ntrademarks, patents, industrial designs, and trade se-\n                                                          We found the attach\xc3\xa9s are generally coordinating their\ncrets\xe2\x80\x94costs the United States hundreds of billions of\n                                                          activities with other U.S. government agencies and\ndollars each year and hundreds of thousands of jobs.\n                                                          have good relationships with their U.S. mission coun\xc2\xad\nIt affects manufacturing, technology, pharmaceuticals,\n                                                          terparts and with host government officials. However,\nand numerous other industries.\n                                                          the roles and responsibilities of the attach\xc3\xa9s in relation\n                                                          to the International Trade Administration\xe2\x80\x99s Commer\xc2\xad\nThe United States Patent and Trademark Office pro\xc2\xad\n                                                          cial Service and the U.S. Department of State need to\nmotes intellectual property rights protection and en\xc2\xad\n                                                          be better defined. In addition, guidelines and criteria\nforcement domestically and abroad by conducting\n                                                          for program expansion need to be addressed, as do\noutreach and training activities, working to secure\n                                                          attach\xc3\xa9 training and program continuity.\nstrong international agreements on intellectual prop\xc2\xad\nerty rights, and encouraging U.S. trading partners to\n                                                          We recommended USPTO develop and implement a\nstrictly enforce these agreements and protections.\n                                                          comprehensive operating plan for the attach\xc3\xa9 program\n                                                          in consultation with relevant U.S. government agen\xc2\xad\nIn 2005, USPTO began posting attaches at U.S. em\xc2\xad\n                                                          cies to better integrate attach\xc3\xa9s in their respective U.S.\nbassies to provide legal and technical expertise on\n                                                          overseas missions and help them perform their du\xc2\xad\nintellectual property rights issues. Attaches are cur\xc2\xad\n                                                          ties effectively. The plan should cover everything from\nrently posted in Brazil, China, Egypt, India, Russia,\n                                                          recruiting candidates to ensuring intellectual property\nand Thailand.\n                                                          rights coverage and continuity when attach\xc3\xa9s\n\n\n\n\n                                                     31\n\x0cUnited States Patent and Trademark Office                                                          September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n                                                                                        included in the plan of action and milestones we re\xc2\xad\n                                                                                        ceived for review.\n\n                                                                                        Our evaluation identified a number of additional\n                                                                                        weaknesses, for the most part pertaining to assess\xc2\xad\n                                                                                        ment procedures that USPTO either omitted or per\xc2\xad\n                                                                                        formed inadequately. For example, it assessed compo\xc2\xad\n                                                                                        nents that were not within the system\xe2\x80\x99s accreditation\n                                                                                        boundary because system diagrams and component\n                                                                         USPTO\n                                                                                        inventories did not match; did not evaluate the ap\xc2\xad\n                                                                                        propriateness of access control procedures, which\n         Secretary Gutierrez poses with USPTO\xe2\x80\x99s overseas intellectual property\n                                                                                        we found to be lacking in substance; did not assess\n         rights attaches at USPTO headquarters in December 2007. The group was\n         gathered for a week-long consultation with USPTO colleagues, members of        whether system components are configured to disable\n         industry, and other U.S. government agencies.                                  inactive accounts automatically; and did not follow\n                                                                                        proper procedures for assessing remote access con\xc2\xad\n         transition to other posts. USPTO agreed with our rec\xc2\xad                          trols.\n         ommendation and told us it expects to have a plan in\n         place by the first quarter of FY 2009. (IPE-19044)                             The contract staff operating the Landon IP system ex\xc2\xad\n                                                                                        plained that system diagrams and inventories did not\n                                                                                        match at the time of certification testing because the\n                                                                                        system boundary had not been finalized. We recom\xc2\xad\n         FISMA Reviews Identify                                                         mended that USPTO (1) define accreditation bound\xc2\xad\n         Significant Weaknesses in                                                      aries before certification begins, and (2) add the defi\xc2\xad\n                                                                                        ciencies identified by both the consultant and OIG to\n         PatentSystems\xe2\x80\x99 C&A Process                                                     the system\xe2\x80\x99s plan of action and milestones.\n\n         Security Plan, Assessments                                                     USPTO Response\n         Lacking in Landon IP System\n                                                                                        USPTO indicated its intent to comply with our rec\xc2\xad\n         C&A                                                                            ommendations, but took exception to our finding that\n                                                                                        certification testing occurred before the accreditation\n         We evaluated the Landon IP information system,                                 boundary was finalized. The agency asserted that the\n         which is owned and operated by a contractor. The                               boundary had been finalized prior to certification test\xc2\xad\n         Landon IP system supports the USPTO international                              ing, and provided the date. We do not dispute the doc\xc2\xad\n         patent application process under the Patent Coopera\xc2\xad                           ument may have been approved, but it clearly did not\n         tion Treaty (PCT). The PCT provides a unified pro\xc2\xad                             reflect a final consensus. For example, the certification\n         cedure for filing patent applications to protect inven\xc2\xad                        team assessed controls on the system\xe2\x80\x99s web site, which\n         tions in each of the states party to the treaty. Landon                        was not identified in the approved boundary definition\n         IP analysts conduct searches on applications received                          document. During our review, both USPTO person\xc2\xad\n         from USPTO via a secure communications channel,                                nel and Landon IP staff informed us that discussions\n         develop opinion papers on the invention, and return                            about the system\xe2\x80\x99s boundary were ongoing during\n         the papers to USPTO via the same secure communi\xc2\xad                               testing, and the web site had been initially included in\n         cations channel.                                                               the boundary but was later removed. (OSE-19367)\n\n         Prior to our evaluation, UPSTO had a consultant in\xc2\xad\n         dependently assess the system\xe2\x80\x99s C&A documentation.\n         The consultant reported significant deficiencies with\n         the system security plan, contingency plan, and con\xc2\xad\n         trol assessments. But these weaknesses were not\n\n\n\n                                                                                   32\n\x0cUnited States Patent and Trademark Office                                      September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n         Security Plan, Common Controls                             USPTO Response\n         Weaknesses Among Problems\n                                                                    USPTO generally concurred with our recommenda\xc2\xad\n         Noted in C&A for Enterprise Re-                            tions but disagreed with our finding that the security\n         mote Access System                                         plan did not fully define the accreditation boundary\n                                                                    or test controls on certain components. The bureau\n         The Enterprise Remote Access (ERA) System enables          contended that the boundary was accurately defined\n         USPTO personnel to perform their official duties re\xc2\xad       and that the system owner does not manage the com\xc2\xad\n         motely from alternative worksites supporting USPTO         ponent we stated should have been included. The\n         telework programs and initiatives. ERA facilitates the     component, according to USPTO, was therefore not\n         secure remote access of communications, protective         subject to control assessment.\n         services, and network infrastructure support for all\n         USPTO applications. ERA system components were             However, we note that the component was included\n         certified and accredited under the USPTO Network           in the security plan\xe2\x80\x99s desktop descriptions and was\n         Perimeter system in FY 2007. However, due to the           referenced as within the boundary in our discussions\n         large size of the USPTO infrastructure, management         with USPTO officials. Whether the component is or\n         decided to restructure the accreditation boundary of       is not within the boundary, the discrepancy supports\n         the Network Perimeter system into more manageable          our finding that the security plan needs improvement,\n         components. USPTO\xe2\x80\x99s chief information officer au\xc2\xad          to include precise definition of the system boundary,\n         thorized ERA to operate on May 22, 2008.                   which will then dictate which components and as\xc2\xad\n                                                                    sociated controls require testing. We learned that the\n         Our review revealed the following:                         ERA system accreditation boundary is continuing to\n                                                                    evolve and USPTO is aware of the need to clearly de\xc2\xad\n           \xe2\x80\xa2\t   The system security plan needs improvement\xe2\x80\x94         fine boundaries in order to adequately plan and assess\n                it did not fully define the accreditation bound\xc2\xad    controls. (OSE-19368)\n                ary or adequately describe certain controls.\n           \xe2\x80\xa2\t   The common controls the bureau selected did         USPTO\xe2\x80\x99s Privacy Impact Assess-\n                not meet the system\xe2\x80\x99s minimum security re\xc2\xad\n                                                                    ment Process Met Federal Re-\n                quirements.\n           \xe2\x80\xa2\t   A number of technical controls were not as\xc2\xad         quirements\n                sessed. Numerous others were not assessed ac\xc2\xad\n                cording to required procedures, yet they were       As part of our FISMA work, we assessed USPTO\xe2\x80\x99s\n                reported as fully meeting requirements.             privacy impact assessment process. The E-Govern\xc2\xad\n           \xe2\x80\xa2\t   The plan of action and milestones did not give      ment Act of 2002 requires agencies to conduct pri\xc2\xad\n                completion dates for resolving deficiencies.        vacy impact assessments of information systems and\n                                                                    collections containing personally identifiable informa\xc2\xad\n         We concluded the C&A process did not give the au\xc2\xad          tion and, in general, to make these assessments pub\xc2\xad\n         thorizing official the necessary information to make       licly available.\n         a credible, risk-based accreditation decision. USPTO\n         needs to ensure that all required system-specific and      We found that USPTO has implemented an effective\n         common controls are implemented and must improve           process for conducting privacy impact assessments,\n         control assessments to verify that controls are imple\xc2\xad     consistent with the E-Government Act and OMB\n         mented correctly, operating as intended, and meeting       guidance. Since we made no recommendations and\n         security requirements, and must ensure the certifica\xc2\xad      no actions were required of USPTO, we did not issue\n         tion team has the access it needs to thoroughly assess     a report but included the results in our annual FISMA\n         controls.                                                  report to OMB.\n\n\n\n\n                                                               33\n\x0cPhoto Courtesy Commerce Photographic Services\n\nCommerce Law Library\n\x0c                     DEPARTMENT-WIDE\n\t\n                       MANAGEMENT\n\n\nT       he United States Department of Commerce creates the conditions for economic growth and oppor-\n        tunity by promoting innovation, entrepreneurship, competitiveness, and stewardship. The Department\n        has three stated strategic goals:\n         Goal 1: Provide the information and tools to maximize U.S. competitiveness.\n         Goal 2: Foster science and technological leadership by protecting intellectual property, enhancing \n\n         technical standards, and advancing measurement science. \n\n         Goal 3: Observe, protect, and manage the Earth\xe2\x80\x99s resources to promote environmental stewardship. \n\nThe Department has also established a Management Integration Goal that is equally important to all bureaus:\nAchieve organizational and management excellence.\n\n\n\nCommerce 2006 Earmarks Match                               which data was available. More than 90 percent of the\n                                                           number of earmarks in Commerce went to NOAA,\nMission                                                    which had 298 earmarks totaling $594.5 million ($459\nIn August 2006, we received a request from Senator         million of which was for NOAA projects not included\nTom Coburn-R, OK, then-Chairman of the Subcom\xc2\xad             in the President\xe2\x80\x99s budget).\nmittee on Federal Financial Management, Government\nInformation, and International Security, to conduct an     Costs of Administering Earmarks Not\nanalysis of the Department\xe2\x80\x99s congressional earmarks.       Separated\nSenator Coburn asked that we determine (1) the total\nnumber and cost of congressional earmarks within           Commerce bureaus do not account for staff time and\nthe programs monitored by OIG, including the cost          costs of administration for earmarks separately from\nof each earmark itself and related costs such as staff     other costs. Bureaus have a variety of practices for\ntime and administration; (2) the specific oversight        charging fees for grant administration for earmarks.\nconducted on earmarks and how the oversight com\xc2\xad           NOAA line offices may charge up to 5 percent of the\npares to that conducted on other expenditures such         earmark pursuant to the Department\xe2\x80\x99s budget repro\xc2\xad\nas grants and contracts, and (3) the overall impact of     gramming authority, which was capped at $750,000\nearmarks on advancing the primary mission and goals        in FY 2006. ITA also charges for grant oversight and\nof the Department.                                         administration, usually between 1.5 to 3 percent of an\n                                                           earmark, totaling $355,402 in FY 2006. NIST does\nWe identified 327 earmarks totaling $798.8 million in      not charge earmarks a fee for grant administration.\nFY 2006, or 9.6 percent of the total Commerce budget       Census, USPTO and the departmental management\nof $8.3 billion for that year\xe2\x80\x94the most recent year for     category do not have earmarked grants.\n\n\n\n                                                      35\n\x0cDepartment-wide Management                                                                         September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n       Oversight of Earmarks Is the Same                                                Privacy Impact Assessments Are\n       We found oversight of FY 2006 earmarked grants\n                                                                                        Generally Meeting Federal Re-\n       and contracts is the same as the oversight for non-                              quirements But Must Be Updat-\n       earmarked grants and contracts. Applications are re\xc2\xad\n       quired, and recipients have to follow the same rules as\n                                                                                        ed to Reflect Recent Commerce\n       recipients of other types of awards.                                             Policy Changes\n       Earmarks Are Consistent with                                                     Federal agencies obtain and maintain significant\n       Department Goals and Mission                                                     amounts of personally identifiable information about\n                                                                                        individuals, which must be protected. The E-Govern\xc2\xad\n       Commerce bureau officials we interviewed were in                                 ment Act of 2002 requires agencies to conduct pri\xc2\xad\n       agreement that all of the FY 2006 earmarks were con\xc2\xad                             vacy impact assessments of information systems and\n       sistent with the Department\xe2\x80\x99s mission and strategic                              collections containing personally identifiable informa\xc2\xad\n       goals. Our review of a nonstatistical sample of 32 ear\xc2\xad                          tion and, in general, to make these assessments pub\xc2\xad\n       marked grants from three Commerce bureaus (ITA,                                  licly available. The act also requires agencies to post\n       NIST and NOAA) found that all were consistent with                               their privacy policies on their web sites in a computer-\n       the mission of the Department.                                                   readable format. The Department\xe2\x80\x99s IT privacy policy\n       We did not make recommendations because the pur-                                 defines the responsibilities Commerce operating units\n                                                                                        have for conducting impact assessments and posting\n                                                                                        them along with web privacy policies on their web\n                                                                                        sites.\n\n                                                                                        OMB requires offices of inspectors general to exam\xc2\xad\n                                                                                        ine the processes agencies use to conduct these as\xc2\xad\n                                                                                        sessments as part of their reporting under the Federal\n                                                                                        Information Security Management Act. We evaluated\n                                                                                        whether the Department\xe2\x80\x99s privacy impact assessment\n                                                                                        process adheres to existing policy, guidance, and stan\xc2\xad\n                                                                                        dards. We also evaluated the Department\xe2\x80\x99s processes\n                                                                                        for ensuring ongoing compliance with web privacy\n                                                                                        policies and computer-readability requirements.\n                                                                           NOAA\n                                                                                        Commerce Policy Needs to Be\n       NOAA is using earmarked funds to help restore eelgrass in Narragansett           Updated\n       Bay, RI, and the shellfish that depend on this underwater vegetation. Our\n       review found that\xe2\x80\x94like this NOAA project\xe2\x80\x94Commerce earmarks sup\xc2\xad\n       port mission activities.                                                         In a December 18, 2007, memorandum to all chief\n                                                                                        information officers, entitled Data Extract Log and\n       pose of this review was to conduct an independent                                Verify Requirement, the Department\xe2\x80\x99s CIO required\n       analysis of Commerce\xe2\x80\x99s congressional earmarks for                                operating units to take the following actions by March\n       FY 2006. We gave bureau officials the opportunity                                28, 2008:\n       to review the report and provide informal comments\n       prior to its release. Bureau officials agreed with our                             \xe2\x80\xa2\t\t Review and update all existing privacy impact\n       report, and we incorporated their suggestions into the                                 assessments, specifically describing how the\n       report. (DEN-19021)                                                                    log and verify requirement of OMB M-07-16,\n                                                                                              Safeguarding Against and Responding to the\n                                                                                              Breach of Personally Identifiable Information,\n                                                                                              has been implemented for the system.\n\n\n\n                                                                                   36\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress\t                                                       Department-wide Management\n\n\n\n         \xe2\x80\xa2\t   Develop privacy impact assessments for all da\xc2\xad       Scope of Compliance Check for Web\n              tabases containing investigative, law enforce\xc2\xad       Privacy Policy Is Too Limited\n              ment, and human resources information even\n              if they were previously exempt.                      The Department\xe2\x80\x99s web policy, Privacy of Visitors to\n                                                                   DOC Web Sites, requires all Commerce sites to have\n       Although the stated purpose of the memorandum was           computer-readable privacy policy statements that\n       to document the implementation of OMB\xe2\x80\x99s data ex\xc2\xad            describe in plain language how the site collects and\n       tract log and verify requirement, it effectively changed    handles personal information; how users can consent\n       the privacy impact assessment exemption for legacy          to the policy; how sites that have interactions with\n       and operational systems, as well as for systems that        children handle getting parental consent, and other\n       contain information only about federal employees, to        issues.\n       require that all Commerce systems containing person\xc2\xad\n       ally identifiable information be assessed.                  Each year, operating units must certify to the Depart\xc2\xad\n                                                                   ment that their sites comply with the Department\xe2\x80\x99s\n       We also found the Department had requested that             web policy. Those that do not comply must explain\n       privacy impact assessments document whether the             why and set a target date for eliminating the deficien\xc2\xad\n       records collected are being retained and, if so, to in\xc2\xad     cy.\n       clude the specified retention schedule.\n                                                                   Department CIO staff validate reported results\n       We recommended the Department update its IT pri\xc2\xad            by evaluating Commerce\xe2\x80\x99s 21 \xe2\x80\x9cmajor\xe2\x80\x9d web sites \xe2\x80\x94\n       vacy policy to incorporate these new requirements for       which include the Commerce homepage, six NOAA\n       privacy impact assessments, and revise its IT Security      sites, and homepages for several other operating units.\n       Policy and Minimum Implementation Standards to              However, the Department\xe2\x80\x99s FY 2007 annual compli\xc2\xad\n       reference the IT privacy policy as guidance for con\xc2\xad        ance report identified 842 Commerce web sites be\xc2\xad\n       ducting assessments.                                        cause so many operating units\xe2\x80\x94like NOAA\xe2\x80\x94have\n                                                                   multiple sites. To ensure compliance with its web\n       Some Privacy Impact Assessments                             policy requirement, the Department should validate\n       Are Incomplete                                              a larger, more representative number of Commerce\n                                                                   web sites each year. We also found that the evaluation\n       We also found some impact assessments do not ad\xc2\xad            process did not validate the computer readability of\n       dress all required elements. We reviewed 20 assess\xc2\xad         the web privacy policies to ensure users can be alerted\n       ments and found they generally met the intent of            automatically when posted web site policies do not\n       OMB\xe2\x80\x99s guidance. However, 4 did not sufficiently             match their privacy preference setting.\n       address elements required by OMB and 14 did not\n       include sufficient information for certain elements         Department Response\n       required by Department policy\xe2\x80\x94such as the reason\n       the assessment was conducted or the law or regula\xc2\xad\n                                                                   The Department\xe2\x80\x99s Chief Information Officer con\xc2\xad\n       tion authorizing the information be collected and\n                                                                   curred with all of our recommendations. (OSE\xc2\xad\n       maintained. We recommended the Department clar\xc2\xad\n                                                                   19047)\n       ify certain sections of its IT privacy policy, consider\n       developing additional guidance on the level of detail\n       to be provided for each assessment element, and ap\xc2\xad\n       prove only those impact assessments that contain all\n       required elements.\n\n\n\n\n                                                                  37\n\x0cDepartment-wide Management                                                     September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n       Commerce Needs to Implement                                Nonfederal Audit Activities\n       New Contracting Policies\n                                                                  In addition to undergoing OIG-performed audits,\n                                                                  certain recipients of Commerce financial assistance\n       During this semiannual period, we advised the De\xc2\xad          are periodically examined by state and local govern\xc2\xad\n       partment that contracting officers had not been noti\xc2\xad      ment auditors and by independent public accountants.\n       fied of their new responsibilities for handling certain    OMB Circular A-133, Audits of States, Local Govern\xc2\xad\n       contract-related duties that were formerly performed       ments, and Non-Profit Organizations, sets forth the audit\n       by the Small Business Administration (SBA). The new        requirements for most of these audits. For-profit or\xc2\xad\n       responsibilities are pursuant to a June 2007 partner\xc2\xad      ganizations that receive Advanced Technology Pro\xc2\xad\n       ship agreement on the 8(a) Business Development            gram funds from NIST are audited in accordance\n       Program between Commerce and SBA. The 8(a) pro\xc2\xad            with Government Auditing Standards and NIST Pro\xc2\xad\n       gram, authorized by the Small Business Act, promotes       gram-Specific Audit Guidelines for ATP Cooperative\n       business development by giving preference to selected      Agreements, issued by the Department.\n       firms owned by socially and economically disadvan\xc2\xad\n       taged individuals including Alaska Native Corpora\xc2\xad         We examined 193 audit reports during this semian\xc2\xad\n       tions. One such preference, for example, makes it          nual period to determine whether they contained any\n       easier to award some sole-source contracts to these        audit findings related to Department programs. For\n       companies.                                                 97 of these reports, the Department acts as oversight\n                                                                  agency and monitors the audited entity\xe2\x80\x99s compliance\n       We also found the Department had not implemented           with OMB Circular A-133 or NIST\xe2\x80\x99s program-specific\n       OMB-mandated certification programs for program            reporting requirements. The other 96 reports are from\n       and project managers and for contracting officer tech\xc2\xad     entities for which other federal agencies have oversight\n       nical representatives. The Department\xe2\x80\x99s existing pro\xc2\xad      responsibility. We identified 13 with findings related to\n       gram and project managers should have been certified       the Department.\n       by April 25, 2008. Certification for technical repre\xc2\xad\n       sentatives was required beginning in May. (Commerce\n       had established a certification program for technical                                      ATP-\n       representatives in 2004, but it did not meet OMB\xe2\x80\x99s                           OMB\n                                                                     Report                     Program-\n       new requirements.)                                                           A-133                        Total\n                                                                    Category                    Specifics\n                                                                                    Audits\n                                                                                                 Audits\n       Commerce released draft certification policies in late      Pending\n       May 2008, which were finalized in late June. Staff in       (April 1,           25            5             30\n       the Office of Acquisition Management told us they           2008)\n       were actively working to implement the new policies.\n                                                                   Received           164            59           223\n       We recommended the Department immediately in\xc2\xad\n       form contracting officers of their new oversight re\xc2\xad        Examined           147            46           193\n       sponsibilities for 8(a) contracts and promptly begin        Pending\n       implementing training and certification programs for        (September          42            18            60\n       procurement professionals to meet OMB require\xc2\xad              30, 2008)\n       ments. (IPE-19045)\n\n\n\n\n                                                             38\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                                      Department-wide Management\n\n\n\n       The following table shows a breakdown by bureau of        We identified a total of $3,243,336 in federal ques\xc2\xad\n       approximately $716 million in Commerce funds au\xc2\xad          tioned costs and $203,292 in funds to be put to better\n       dited.                                                    use. In most reports the subject programs were not\n                                                                 considered major programs; thus the audits involved\n                   Bureau                          Funds         limited transaction and compliance testing against\n                                                                 laws, regulations, and grant terms and conditions. The\n        EDA                                    $ 183,297,299     13 reports with Commerce findings are listed in Ap\xc2\xad\n                                                                 pendix B-1. (Regional Offices of Audits)\n        ITA                                           303,908\n\n        NIST*                                     70,913,300\n\n        NOAA                                       77,271,369\n\n        NTIA                                         752,684\n\n        Multiagency                              383,028,411\n\n                  Total                        $ 715,566,971\n       * Includes $67,178,707 in ATP program-specific audits.\n\n\n\n\n                                                                39\n\x0cPhoto Courtesy Commerce Photographic Service\n\n\nUS flag draped outside Commerce headquarters.\n\x0cOFFICE OF INSPECTOR GENERAL\n\t\n\nT       he mission of the Office of Inspector General is to promote economy, efficiency, and effectiveness\n        and detect and prevent waste, fraud, abuse, and mismanagement in the programs and operations of\n        the U.S. Department of Commerce. Through its audits, inspections, performance evaluations, and\ninvestigations, OIG proposes innovative ideas and constructive solutions that lead to positive changes for the\nDepartment. By providing timely, useful, and reliable information and advice to departmental officials, the\nadministration, and Congress, OIG\xe2\x80\x99s work helps improve Commerce management and operations as well as its\ndelivery of services to the public.\n\n\n\nOffice of Investigations                                   ing activities to determine how the federal funds were\n                                                           being used. The findings of this analysis provided key\n                                                           evidence in the trial.\nFormer Research Scientist Convicted\nof ATP Grant Fraud                                         The scientist faces a maximum sentence of 10 years in\n                                                           prison and a maximum fine of $250,000 or twice the\nAs detailed in our September 2007 Semiannual Report        gross pecuniary loss or gain derived from the offense.\n(page 50), in June 2007, the recipient of a $2 million     Sentencing is scheduled for October 2008. (Atlanta\nNIST Advanced Technology Program award was in\xc2\xad             Field Office of Investigations and Atlanta Regional Office of\ndicted for program fraud after an OIG investigation        Audits)\nfound that hundreds of thousands of dollars from the\ngrant had been diverted to the defendant\xe2\x80\x99s personal        Workers\xe2\x80\x99 Compensation Investigation\nuse. On June 12, 2008, the scientist was convicted in      Leads to Recovery of Benefits\nFederal District Court for the Southern District of\nNew York of intentionally misapplying approximate\xc2\xad         On June 16, 2008, a former employee of the Minor\xc2\xad\nly $500,000 of the grant funds to pay for numerous         ity Business Development Agency was ordered to re\xc2\xad\npersonal expenses, including rent, home renovations,       pay more than $180,000 she had received in disability\ncleaning services for his condominium, restaurant          benefits. An OIG investigation revealed that she had\nmeals, and miscellaneous household items.                  failed to report outside earnings on annual certifica\xc2\xad\n                                                           tions filed over a 6-year period while simultaneously\nThis conviction was the result of a collaborative ef\xc2\xad      receiving the federal disability payments.\nfort between OIG\xe2\x80\x99s Atlanta Regional Office of Audits\nand the Office of Investigations that began in 2003,       The individual had been on disability since June 2002\nwhen audits of the recipient identified overstated         following a claim that she had sustained on-the-job in\xc2\xad\nproject expenses and inappropriate costs of $547,425       juries in a fall while traveling on government business.\ncharged against the grant. The auditors and investiga\xc2\xad     Her monthly benefits were approximately $3,500. The\ntors worked together to analyze the recipient\xe2\x80\x99s bank\xc2\xad      OIG investigation found that the individual had failed\n\n\n                                                      41\n\x0cOffice of Inspector General                                                       September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n                                                                       purchases to a credit card she had falsely opened in\n                                                                       the name of the NWS. An OIG investigation found\n                                                                       that in 2006, the employee opened the account online\n                                                                       and over a 4-week period purchased DVD players, an\n                                                                       MP3 player, two laptop computers, and other items\n                                                                       totaling $4,423.92. NWS discovered the theft after\n                                                                       the employee defaulted on payments and a collections\n                                                                       agency contacted NWS management. The employee\n                                                                       was sentenced to 5 years probation and ordered to\n                                                                       pay restitution of $4,006.05 (the current account bal\xc2\xad\n                                                                       ance) and complete 120 hours of community service.\n                                                                       (Denver Resident Office)\n\n                                                                       ITA Intern Sentenced for Credit Card\n                                                                       Theft\n\n                                                                       As reported in our March 2008 Semiannual Report\n                                                                       (page 25), a former intern of the International Trade\n                                                                       Administration was convicted of felony credit card\n                                                                       fraud in Fairfax County, Virginia, Circuit Court, af\xc2\xad\n                                                                       ter a joint OIG/Fairfax County Police investigation\n                                                                       discovered the intern had used his position to obtain\n                                                                       government credit card information on various high-\n         to report rental income she was concurrently receiv\xc2\xad          ranking Commerce officials including the Secretary of\n         ing from September 2003 through February 2008 as              Commerce. As part of his official duties, the intern\n         owner and landlord of a property investment and               prepared clearances for Commerce trade missions\n         management company. (Atlanta Field Office)                    and had access to account numbers and expiration\n                                                                       dates for government travel credit cards, as well as full\n         NOAA Grantee Indicted, Pleads                                 names, dates and places of birth, and passport infor\xc2\xad\n         Guilty to Theft of Federal Funds                              mation. The intern used the credit card information\n                                                                       to purchase thousands of dollars worth of tickets via\n         On September 24, 2008, a NOAA grantee pled guilty             an Internet travel site. He was sentenced on July 18,\n         to one count of theft following his indictment by             2008 to 2 years in prison, 2 years probation, and or\xc2\xad\n         a Federal Grand Jury in the District of Hawaii. An            dered to pay more than $52,000 in restitution. (Silver\n         OIG investigation revealed that the grantee had spent         Spring Resident Office)\n         $60,000 of the $109,886 award on drugs, clothing, a\n         Rolex watch, and other items, as well as on hotel ac\xc2\xad         Former NIST Employee Pleads Guilty,\n         commodations. The NOAA grant was intended to                  Forfeits Assets in Major Theft Scheme\n         train 40 native Hawaiian people in fishing techniques.\n         Sentencing is scheduled for January 2009. (Atlanta            On August 8, 2008, a former NIST engineering tech\xc2\xad\n         Field Office)                                                 nician and coordinator of the agency\xe2\x80\x99s Charpy impact\n                                                                       testing program, pled guilty in U.S. District Court\n         NWS Employee Pleads Guilty to Cred-                           for the District of Colorado to one count of theft\n         it Card Theft                                                 of government property and one count of asset for\xc2\xad\n                                                                       feiture related to his work with the Charpy program.\n         On September 12, 2008, a National Weather Service             This program evaluates the integrity of industrial ma\xc2\xad\n         (NWS) employee pled guilty to one count of theft of           chines used to test the strength of structural steel for\n         property for charging more than $4,400 in personal            construction.\n\n\n\n                                                                  42\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                                              Office of Inspector General\n\n\n\n       An OIG investigation revealed the individual\xe2\x80\x94while           Customs Enforcement, Postal Inspection Service in\xc2\xad\n       coordinator of the program\xe2\x80\x94had stolen 900 pounds             vestigation of an international telemarketing fraud\n       of government-owned steel test specimens valued in           scheme detailed in our September 2007 and March\n       excess of $500,000 and removed a copy of the pro\xc2\xad            2008 Semiannual Reports continued to produce con\xc2\xad\n       gram\xe2\x80\x99s customer database, which contained propri\xc2\xad            victions and orders for significant restitution and jail\n       etary information. He diverted the stolen property to        time during this reporting period.\n       a company he had formed for the purpose of selling\n       steel test specimens. For a year, while still employed at    The scheme was perpetrated by callers identifying\n       NIST, he operated the business and sold specimens            themselves as employees of the Commerce Depart\xc2\xad\n       identical to those produced by NIST. He retired from         ment and other federal agencies, who told victims they\n       the agency in 2003 and continued operating the busi\xc2\xad         had won huge cash prizes in a national lottery. They\n       ness until March 2006, when OIG investigators ex\xc2\xad            asked \xe2\x80\x9cwinners\xe2\x80\x9d to pay insurance and customs fees\n       ecuted a search warrant at his residence, recovering         and to wire funds to guarantee prize delivery. Inves\xc2\xad\n       some of the stolen property and other evidence in\xc2\xad           tigators have so far identified transfers of more than\n       cluding financial records and computer files.                $30 million from U.S. citizens to Costa Rica, where\n                                                                    the scheme was based, but the worldwide total could\n       Forensic analysis of the financial and computer data         top $1 billion.\n       revealed the defendant had realized economic benefits\n       of between $400,000 and $1 million from the stolen           During this semiannual period, 14 defendants were\n       property. He was ordered to forfeit all assets derived       sentenced and four others convicted on conspiracy\n       from or traceable to the proceeds generated from the         and wire fraud charges. They all face prison terms\n       stolen steel. The approximate value of the property          ranging from 3 to 50 years. In addition one more indi\xc2\xad\n       to be forfeited is between $900,000 and $1,000,000.          vidual was arrested and two indicted. Total restitution\n       Sentencing is scheduled for December 2008. (Denver           ordered thus far exceeds $100 million.\n       Resident Office)\n                                                                    Over the past 5 years, this investigation has netted\n       Commerce Employee Arrested for                               nearly 40 arrests and 30 convictions of Americans\n       Metrochek Fraud                                              and Canadians involved in plots to defraud U.S. citi\xc2\xad\n                                                                    zens. The investigation is an integral part of the De\xc2\xad\n       OIG special agents arrested an Office of the Secre\xc2\xad          partment of Justice\xe2\x80\x99s Operation Global Con, a mas\xc2\xad\n       tary employee for first-degree theft after a joint inves\xc2\xad    sive international fraud investigation involving nearly\n       tigation with Washington, D.C., Metropolitan Police          3 million victims. (Atlanta Field Office)\n       disclosed that the employee received $1,950 in transit\n       subsidy benefits while assigned a parking space at the\n       Commerce headquarters building, and gave the ben\xc2\xad            Other Activities\n       efits to a relative. Between October 2004 and March\n       2007, the employee certified at quarterly benefits\n       distributions that she had not been issued a federal         The Inspector General Testifies\n       parking permit and would not transfer the benefits           on Reauthorization of National\n       to anyone else. A hearing in Superior Court of the\n                                                                    Marine Sanctuaries Act and\n       District of Columbia is scheduled for October 2008.\n       (Washington Field Office)                                    Economic Development Admin-\n                                                                    istration\n       Convictions, Restitution, and Jail\n       Terms Mount in Massive Telemarket-                           National Marine Sanctuaries Act\n       ing Fraud Case\n                                                                    On June 18, 2008, the Inspector General testified be\xc2\xad\n       An ongoing joint Commerce OIG, Immigration and               fore the House Subcommittee on Fisheries, Wildlife\n                                                                    and Oceans regarding OIG\xe2\x80\x99s oversight of the Nation\xc2\xad\n\n\n                                                                   43\n\x0cOffice of Inspector General                                                                         September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n\n                                                                                                                                                      NOAA\n         A Navy diver examines the bow of the Civil War ironclad USS Monitor. The Monitor was designated the nation\xe2\x80\x99s first national marine sanctuary in 1975.\n\n\n         al Marine Sanctuary Program as Congress deliberated                          tion is whether the program is ready for expansion.\n         reauthorizing the legislation that created the sanctuary                     The IG stated that NOAA needs to engage in a trans\xc2\xad\n         system. The last reauthorization was in 2000.                                parent process to develop a list of potential sites for\n                                                                                      future designation and determine the factors, criteria,\n         Mr. Zinser described the sanctuary program as ef\xc2\xad                            and resource needs for adding sanctuaries. He gave\n         fectively protecting marine resources in the 13 ma\xc2\xad                          the subcommittee three recommendations for consid\xc2\xad\n         rine sanctuaries and one marine national monument.                           eration in reauthorizing the act:\n         He told the subcommittee that a 2008 OIG evalua\xc2\xad\n         tion found the program is meeting objectives despite                            1.\t Giving the Secretary of Commerce the flexibil\xc2\xad\n         major challenges, which include (1) managing under\xc2\xad                                 ity to establish management plan time frame\n         water areas that are far-reaching and geographically                                requirements to reflect variations in the com\xc2\xad\n         dispersed\xe2\x80\x94encompassing more than 158,000 square                                     plexity and circumstances of the sanctuaries,\n         miles of ocean and Great Lakes marine habitats; and                                 instead of the 5-year time frame that all sites\n         (2) balancing the protection and conservation of re\xc2\xad                                must currently meet, regardless of their size.\n         sources with vital commercial interests.                                        2.\t Giving the Secretary the same authority for\n                                                                                             managing marine monuments as he now has\n         In addition, the Inspector General noted, assessments                               for managing the sanctuaries, such as assessing\n         by OMB and the National Academy of Public Ad\xc2\xad                                       civil penalties for violations, recovering damag\xc2\xad\n         ministration found the program to be well managed                                   es for injuries to sanctuary resources, and creat\xc2\xad\n         and effective.                                                                      ing community-based advisory councils.\n         Mr. \tZinser added that many stakeholders view the                               3.\t Establishing a separate title within the act that\n         sanctuary program favorably, and would like to see it                               specifies protection of maritime heritage re\xc2\xad\n         expand. But a threshold question for the reauthoriza\xc2\xad                               sources to strengthen the act\xe2\x80\x99s current empha\xc2\xad\n\n\n\n                                                                                 44\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                                                 Office of Inspector General\n\n\n\n             sis on preserving maritime historic and cultural         or more.)\n             resources.\n                                                                      Mr. Zinser detailed the report\xe2\x80\x99s recommendations,\n       Beyond reauthorization, Mr. Zinser briefly mentioned           primarily that EDA develop a comprehensive strat\xc2\xad\n       the need for stronger enforcement of sanctuary reg\xc2\xad            egy and action plan that has specific measurable goals\n       ulations and noted that among other things, NOAA               and milestones built on strong oversight from the\n       should finalize a national plan for sanctuary enforce\xc2\xad         top down. The inspector general stated that EDA re\xc2\xad\n       ment; and consider making greater use of summary               sponded with a 30-point action plan and has made\n       settlement schedules, which set fixed fine amounts for         good progress in meeting its milestones.\n       misdemeanors and allow both federal and state en\xc2\xad\n       forcement officers to issue tickets on the spot. (View         He stressed, however, that the most significant out\xc2\xad\n       the complete testimony at www.oig.doc.gov.)                    standing action item was development of a central\n                                                                      automated database that provides current, reliable in\xc2\xad\n       Economic Development Administra-                               formation on the entire revolving loan portfolio. At\n       tion Reauthorization                                           the time of his testimony, the database was slated for\n                                                                      implementation by the spring of 2009.\n       On September 9, Mr. Zinser testified before the Sen\xc2\xad\n       ate Subcommittee on Transportation and Infrastruc\xc2\xad             Finally, Mr. Zinser noted that OIG\xe2\x80\x99s criminal investi\xc2\xad\n       ture on the 2008 reauthorization of Commerce\xe2\x80\x99s Eco\xc2\xad            gations and audits of public works grants underscore\n       nomic Development Administration.                              the need for closer EDA scrutiny. Though OIG\xe2\x80\x99s\n                                                                      oversight of these activities has been less extensive,\n       Mr. Zinser described EDA\xe2\x80\x99s grants programs and                 public works audits have questioned significant costs\n       funding, which totaled approximately $250 million              and identified millions in funds to be put to better\n       in FY 2007, and OIG\xe2\x80\x99s related oversight of the Re\xc2\xad             use. OIG investigations have uncovered instances in\n       volving Loan Fund program. He noted that since FY              which grantees diverted funds to enrich themselves\n       2000, OIG has audited 50 individual revolving loan             and as a result received prison terms and were ordered\n       funds that identified a series of common problems.             to pay fines and restitution. (View the complete testimony\n       OIG issued a capping report last year on EDA\xe2\x80\x99s over\xc2\xad           at www.oig.doc.gov.)\n       all management of the program. The report looked\n       at what actions EDA had taken to address the prob\xc2\xad\n       lems raised in the audit reports over the years and            Assistant Inspector General for\n       found that EDA had not made sufficient progress in             Audit and Evaluation Partici-\n       strengthening management of the revolving loan fund\n       program:                                                       pates in Congressional Cyber\n                                                                      Security Forum\n       EDA did not have a useful central database contain\xc2\xad\n       ing current, accurate information on revolving loan            On September 29, Judy Gordon, assistant inspector\n       fund balances or an adequate tracking and oversight            general for audit and evaluation, joined leaders and IT\n       system.                                                        security authorities from government, business, and\n                                                                      education for the first of three forums on cyber se\xc2\xad\n       Grant recipients had too much cash on hand; they               curity, hosted by the Senate Homeland Security and\n       were not meeting EDA requirements for keeping the              Governmental Affairs Committee and the nonprofit\n       bulk of funds out in loans.                                    Institute for Information Infrastructure Protection.\n\n       Recipients were not filing financial reports within re\xc2\xad        Challenges to securing computer systems and infor\xc2\xad\n       quired time frames and EDA was not effectively us\xc2\xad             mation grow more complex as our options for access\xc2\xad\n       ing single audit reports to manage fund assets. (Single        ing them\xe2\x80\x94via cell phones, MP3 players, and a host of\n       audit reports are required by law for revolving loan           other portable wireless technologies\xe2\x80\x94multiply. The\n       funds with annual federal expenditures of $500,000             purpose of the forums is to foster greater IT security\n\n\n                                                                 45\n\x0cOffice of Inspector General                                                        September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n         research and development that will help public and             The remaining sessions will bring together other\n         private organization keep pace with evolving IT se\xc2\xad            groups of experts to address effective IT security\n         curity challenges, and ensure critical networks and the        technologies and the economic trade-offs organiza\xc2\xad\n         data they carry are safeguarded.                               tions make to secure their systems. At the conclusion\n                                                                        of the sessions, the institute will deliver a report to\n         Participants at the first forum explored IT security           the Senate subcommittee that details key findings\n         from the user\xe2\x80\x99s perspective: what environments, tools,         and provides a possible roadmap for anticipating and\n         and motivations promote safe and secure online be\xc2\xad             promptly mitigating emerging security challenges.\n         havior among an organization\xe2\x80\x99s employees and the\n         general public? Discussions addressed, among other             The Institute for Information Infrastructure Protec\xc2\xad\n         things, psychological and cognitive factors that pre\xc2\xad          tion is a national consortium of universities, labo\xc2\xad\n         vent users from accurately assessing risk, the role of         ratories, and nonprofit organizations dedicated to\n         organizational culture in preventing misuse of infor\xc2\xad          strengthening the U.S. cyber infrastructure.\n         mation technology, and state and local law enforce\xc2\xad\n         ment needs for combating electronic crime.\n\n\n\n\n                                                                   46\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress\t                                                       Office of Inspector General\n\n\n\n       TABLES AND STATISTICS\n       Statistical Overview\n       TABLES                                                                                                    PAGE\n       1. Investigative Statistical Highlights for this Period                                                      47\n       2. Audit Resolution Follow-Up\t                                                                               48\n       3. Audit and Inspection Statistical Highlights for this Period\t                                              48\n       4. Audits with Questioned Costs\t                                                                             48\n       5. Audits with Recommendations that Funds Be Put to Better Use\t                                              49\n\n       APPENDIXES\n\n       A. Report Types this Period \t                                                                                50\n         A-1. Performance Audits                                                                                    50\n         A-2. Inspections and Evaluations                                                                           51\n       B. Processed Audit Reports\t                                                                                  52\n         B-1. Processed Reports with Audit Findings                                                                 52\n\n\n       Table 1. Investigative Statistical Highlights for this Period\n        Criminal Investigative Activities\n        Arrests                                                                                                     3\n        Indictments and informations                                                                                6\n        Convictions                                                                                                 8\n        Personnel actions                                                                                           1\n        Fines, restitutions, judgments, and other civil and administrative recoveries                          $94,408,255\n        Allegations Processed\n        Accepted for investigation                                                                                  52\n        Referred to operating units                                                                                 33\n        Evaluated but not accepted for investigation or referral                                                    45\n        Total                                                                                                      130\n\n\n\n\n       Audit Resolution and Follow-Up\n       The Inspector General Act Amendments of 1988 re\xc2\xad                  Department Administrative Order 213-5, Audit Reso-\n       quire us to present in this report those audits issued            lution and Follow-up, provides procedures for manage\xc2\xad\n       before the beginning of the reporting period (April 1,            ment to request a modification to an approved audit\n       2008) for which no management decision had been                   action plan or for a financial assistance recipient to\n       made by the end of the period (September 30, 2008).               appeal an audit resolution determination. The follow\xc2\xad\n       Six audit reports remain unresolved for this reporting            ing table summarizes modification and appeal activity\n       period (see page 53).                                             during the reporting period.\n\n\n\n\n                                                                    47\n\x0cOffice of Inspector General                                                                                 September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n        Table 2. Audit Resolution Follow-Up\n         Report Category                                                       Modifications                                            Appeals\n         Actions pending (April 1, 2008)                                             0                                                    6\n         Submissions                                                                 1                                                    3\n         Decisions                                                                   0                                                    6\n         Actions pending (September 30, 2008)                                        1                                                    3\n\n\n\n        Table 3. Audit and Inspection Statistical Highlights for this Period\n\n         Questioned Costs                                                                                                                 $3,243,336*\n         Value of audit recommendations that funds be put to better use                                                                     203,292\n         Value of audit recommendations agreed to by management                                                                             804,369\n        *This number includes costs questioned by state and local government auditors or independent public accountants.\n\n\n\n        Table 4. Audits with Questioned Costs\n                                                                                                                           Questioned Unsupported\n         Report Category                                                                                Number\n                                                                                                                             Costs       Costs\n                 Reports for which no management decision had been\n                                                                                                             21            $23,629,793             $4,541,940\n                 made by the beginning of the reporting period\n\n                 Reports issued during the reporting period                                                   9             3,243,336                106,026\n\n         Total reports (A+B) requiring a management decision during\n                                                                                                             30             26,873,129              4,647,966\n         the period\n\n                 Reports for which a management decision was made\n                                                                                                             15             3,845,197                624,028\n                 during the reporting period2\n\n                 i. Value of disallowed costs                                                                \xe2\x80\x94                753,605                181,935\n\n\n                 ii. Value of costs not disallowed                                                           \xe2\x80\x94              3,091,592                442,093\n\n                 Reports for which no management decision had been\n            .                                                                                                15             23,027,932              4,023,938\n                 made by the end of the reporting period\n        NOTES:\n        1\n          One audit report included in this table is also included among reports with recommendations that funds be but to better use (see table 5). However, the dol-\n        lar amounts do not overlap. \n\n        2\n          In Category C, lines i and ii do not always equal the total line C because resolution may result in values greater than the original recommendations.\n\n\n\n\n\n                                                                                     48\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                                                                   Office of Inspector General\n\n\n\n       Table 5. Audits with Recommendations that Funds Be Put to Better Use\n\n        Report Category                                                                                                    Number                   Value\n\n               Reports for which no management decision had been made by the\n                                                                                                                                 1                $104,711\n               beginning of the reporting period\n\n               Reports issued during the reporting period                                                                        3                 203,292\n\n\n        Total reports (A+B) requiring a management decision during the period1                                                   4                 308,003\n\n               Reports for which a management decision was made during the report\xc2\xad\n                                                                                                                                 2                 155,475\n               ing period2\n\n               i. Value of recommendations agreed to by management                                                              \xe2\x80\x94                   50,764\n\n\n               ii. Value of recommendations not agreed to by management                                                         \xe2\x80\x94                  104,711\n\n               Reports for which no management decision had been made by the end\n                                                                                                                                 2                 152,528\n               of the reporting period\n       NOTES:\n       1\n         One audit report included in this table is also included among reports with questioned costs (see table 4). However, the dollar amounts do not overlap.\n       2\n         In Category C, lines i and ii do not always equal the total line C because resolution may result in values greater than the original recommendations.\n\n\n\n\n       Definitions of Terms Used in the\n       Tables\n       Questioned cost: a cost questioned by OIG because                                 action to implement and complete the recommen\xc2\xad\n       of (1) an alleged violation of a provision of a law,                              dation, including (1) reductions in outlays; (2) deob\xc2\xad\n       regulation, contract, grant, cooperative agreement,                               ligation of funds from programs or operations; (3)\n       or other agreement or document governing the ex\xc2\xad                                  withdrawal of interest subsidy costs on loans or loan\n       penditure of funds; (2) a finding that, at the time of                            guarantees, insurance, or bonds; (4) costs not incurred\n       the audit, such cost is not supported by adequate                                 by implementing recommended improvements related\n       documentation; or (3) a finding that an expenditure                               to Commerce, a contractor, or a grantee; (5) avoidance\n       of funds for the intended purpose is unnecessary or                               of unnecessary expenditures identified in preaward\n       unreasonable.                                                                     reviews of contracts or grant agreements; or (6) any\n                                                                                         other savings specifically identified.\n       Unsupported cost: a cost that, at the time of the\n       audit, is not supported by adequate documentation.                                Management decision: management\xe2\x80\x99s evaluation\n       Questioned costs include unsupported costs.                                       of the findings and recommendations included in the\n                                                                                         audit report and the issuance of a final decision by\n       Recommendation that funds be put to better use:                                   management concerning its response.\n       an OIG recommendation that funds could be used\n       more efficiently if Commerce management took\n\n\n\n                                                                                    49\n\x0cOffice of Inspector General                                           September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n        Appendix A. Report Types this Period\n         Type                                            Number of Reports         Appendix Number\n         Performance audits                                      1                         A-1\n         Inspections and systems evaluations                     15                        A-2\n         Total                                                   16\n\n\n        Appendix A-1. Performance Audits\n\n                                                                                        Funds to Be Put\n         Report Title                                     Report Number Date Issued\n                                                                                         to Better Use\n         Office of the Secretary\n         Review of Fiscal Year 2006 Congressional Ear\xc2\xad\n                                                              DEN-19021      05/30/08            \xe2\x80\x94\n         marks\n\n\n\n\n                                                         50\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                     Office of Inspector General\n\n\n\n       Appendix A-2. Inspections and Evaluations\n\n        Bureau of Economic Analysis\n\n        FY 2008 FISMA Assessment of BEA Estimation\n                                                                OSE-19001   09/22/08            \xe2\x80\x94\n        Information Technology System (BEA-015)\n\n        Census Bureau\n\n        OIG Reviews Through the Decade Identify Significant\n                                                                OIG-19217   06/25/08            \xe2\x80\x94\n        Problems in Key Operations\n        Census Should Further Refine Its Cost Estimate for\n                                                                OIG-10958   08/08/08            \xe2\x80\x94\n        Fingerprinting Temporary Staff\n        FY 2008 FISMA Assessment of Wireless Data Com\xc2\xad\n                                                                OSE-19163   09/29/08\n        munications General Support System (CEN28)\n        FY 2008 FISMA Assessment of the Field Data Col\xc2\xad\n                                                                OSE-19164   09/29/08            \xe2\x80\x94\n        lection Automation System (CEN22)\n        National Oceanic and Atmospheric Administration\n\n        The National Data Buoy Center Should Improve Data\n                                                                IPE-18585   05/09/08            \xe2\x80\x94\n        Availability and Contracting Practices\n        NOAA\xe2\x80\x99s Management of the Joint Enforcement\n                                                                IPE-19050   09/30/08            \xe2\x80\x94\n        Agreement Program Needs to Be Strengthened\n        FY 2008 FISMA Assessment of NWS Telecommuni\xc2\xad\n                                                                OSE-19000   09/22/08            \xe2\x80\x94\n        cation Gateway (NOAA8871)\n        FY 2008 FISMA Assessment of Science and Technol\xc2\xad\n                                                                OSE-19165   09/30/08            \xe2\x80\x94\n        ogy System (NOAA4020)\n        FY 2008 FISMA Assessment of National Weather\n        Service International Satellite Communications System   OSE-19166   09/30/08            \xe2\x80\x94\n        (NOAA8209)\n        FY 2008 FISMA Assessment of Satellite Environmen\xc2\xad\n                                                                OSE-19167   09/30/08            \xe2\x80\x94\n        tal Processing System (NOAA5035)\n\n        United States Patent and Trademark Office\n\n        The Overseas Intellectual Property Rights Attach\xc3\xa9\n        Program Is Generally Working Well, but a Compre\xc2\xad        IPE-19044   07/17/08            \xe2\x80\x94\n        hensive Operating Plan Is Needed\n        FY 2008 FISMA Assessment of Landon IP Informa\xc2\xad\n                                                                OSE-19367   09/30/08            \xe2\x80\x94\n        tion System (PTOC-019-00)\n        FY 2008 FISMA Assessment of Enterprise Remote\n                                                                OSE-19368   09/30/08            \xe2\x80\x94\n        Access System (PTOI-011-00)\n\n        Office of the Secretary\n        The Department\xe2\x80\x99s Privacy Impact Assessment Process\n        Is Generally Implemented Well, But Some Improve\xc2\xad        OSE-19047   09/24/08            \xe2\x80\x94\n        ments Are Needed\n\n\n\n                                                          51\n\x0cOffice of Inspector General                                                      September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n        Appendix B. Processed Audit Reports\n         The Office of Inspector General reviewed and accepted 193 audit reports prepared by independent public\n         accountants and local, state, and other federal auditors. The reports processed with questioned costs, rec\xc2\xad\n         ommendations that funds be put to better use, and/or nonfinancial recommendations are listed in\n\n         Appendix B-1.\n         Agency                                                                                  Audits\n         Economic Development Administration                                                         56\n         International Trade Administration                                                           2\n         National Institute of Standards and Technology*                                             50\n         National Oceanic and Atmospheric Administration                                             29\n         National Telecommunications and Information Administration                                   2\n         Multiagency                                                                                 54\n         Total                                                                                       193\n        *Includes 46 ATP program-specific audits.\n\n        Appendix B-1 - Processed Reports with Audit Findings\n                                                                             Funds to     Federal            Federal\n                                                    Report        Date\n         Report Title                                                       Be Put to     Amount             Amount\n                                                    Number       Issued\n                                                                            Better Use   Questioned        Unsupported\n         Economic Development Administration\n         City of Baltimore Development Cor\xc2\xad         ATL-09999\xc2\xad\n                                                                 09/26/08      $\xe2\x80\x94         $ 37,000             $\xe2\x80\x94\n         poration, MD                                 8-3244\n                                                    ATL-09999\xc2\xad\n         City of Union City, CA                                  09/26/08      \xe2\x80\x94          2,172,201            \xe2\x80\x94\n                                                      8-3196\n                                                    ATL-09999\xc2\xad\n         State of Connecticut                                    09/26/08      \xe2\x80\x94           85,468              \xe2\x80\x94\n                                                      8-3171\n         Southeast Idaho Council of Govern\xc2\xad         ATL-09999\xc2\xad\n                                                                 09/30/08     50,764         \xe2\x80\x94                 \xe2\x80\x94\n         ments, Inc., ID                              8-3080\n         National Institute of Standards and Technology\n                                                    ATL-09999\xc2\xad\n         Intrexon Corporation, VA                                09/09/08      \xe2\x80\x94           26,681             26,681\n                                                      8-3136\n                                                    ATL-09999\xc2\xad\n         Intrexon Corporation, VA                                09/09/08      \xe2\x80\x94           12,992             12,992\n                                                      8-3135\n                                                    ATL-09999\xc2\xad\n         Umbanet, Inc., NY                                       09/09/08     24,667                           \xe2\x80\x94\n                                                      8-3127\n                                                    ATL-09999\xc2\xad\n         ISCA Technologies, Inc., CA                             09/26/08    127,861                           \xe2\x80\x94\n                                                      8-3011\n                                                    ATL-09999\xc2\xad\n         GE Energy (USA) LLC, DE                                 09/30/08      \xe2\x80\x94           663,832             \xe2\x80\x94\n                                                      8-3191\n                                                    ATL-09999\xc2\xad\n         Innovative Photonic Solutions, NJ                       09/30/08      \xe2\x80\x94           145,670             \xe2\x80\x94\n                                                      8-3265\n\n\n\n\n                                                                  52\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                                   Office of Inspector General\n\n\n\n                                                                           Funds to       Federal           Federal\n                                                Report         Date\n        Report Title                                                      Be Put to       Amount            Amount\n                                                Number        Issued\n                                                                          Better Use     Questioned       Unsupported\n        National Oceanic and Atmospheric Administration\n                                               ATL-09999\xc2\xad\n        Government of Guam                                   09/26/08          \xe2\x80\x94             33,139              \xe2\x80\x94\n                                                 8-3290\n                                               ATL-09999\xc2\xad\n        State of Washington                                  09/26/08          \xe2\x80\x94                                 \xe2\x80\x94\n                                                 8-3174\n                                               ATL-09999\xc2\xad\n        Alaska Eskimo Whaling Commission                     09/30/08          \xe2\x80\x94             66,353            66,353\n                                                 8-3238\n\n\n       AUDITS UNRESOLVED FOR\n       MORE THAN 6 MONTHS\n                                                                   NIST\n       Census Bureau\n                                                                   Computer Aided Surgery Inc., New York. An\n       ITS Services, Inc. In March 2005, we reported that          OIG audit of this NIST cooperative agreement (see\n       3 of the 32 task orders awarded under an IT services        September 2004 issue, page 35, and March 2005 is\xc2\xad\n       contract were audited to determine whether the costs        sue, page 33\xe2\x80\x94ATL-16095) questioned costs totaling\n       billed by the firm were reasonable, allowable, and allo\xc2\xad    $547,426 in inappropriately charged rent, utilities, and\n       cable under contract terms and conditions and federal       certain salary, fringe benefit, and other expenses be\xc2\xad\n       regulations. We found that the firm had failed to com\xc2\xad      cause these costs were unallowable, in excess of bud\xc2\xad\n       ply with numerous contract and federal requirements,        getary limits, or incorrectly categorized. This audit led\n       and questioned more than $8.5 million in direct labor       to a criminal investigation, which resulted in a con\xc2\xad\n       and reimbursable costs.                                     viction (see page 41). Audit resolution is suspended,\n       Computer & High Tech Management, Inc. We re\xc2\xad                pending sentencing in October 2008.\n       ported in our September 2005 Semiannual Report (page\n       14) the results of audits of 2 of the 21 task orders\n       for another firm providing IT services to Census. We\n       sought to determine whether the firm had complied\n       with contract terms and conditions and federal regu\xc2\xad\n       lations and had billed Census for work performed in\n       accordance with specifications of the task order. We\n       found that the firm failed to comply with numerous\n       contract and federal requirements, which caused us to\n       question more than $10.7 million in direct labor and\n       other reimbursable costs.\n\n       We have suspended audit resolution on both of these\n       contract audits pursuant to an agreement with Cen\xc2\xad\n       sus.\n\n\n\n\n                                                              53\n\x0cOffice of Inspector General                                                     September 2008\xe2\x80\x94Semiannual Report to Congress\n\n\n\n        REPORTING REQUIREMENTS\n        The Inspector General Act of 1978, as amended, specifies reporting requirements for semiannual reports.\n        The requirements are listed below and indexed to the applicable pages of this report.\n\n\n        Section                                                                                            Page\n\n        4(a)(2)                Review of Legislation and Regulations                                        54-55\n\n        5(a)(1)                Significant Problems, Abuses, and Deficiencies                               13-43\n\n        5(a)(2)                Significant Recommendations for Corrective Action                            13-43\n\n        5(a)(3)                Prior Significant Recommendations Unimplemented                               54\n\n        5(a)4                  Matters Referred to Prosecutive Authorities                                   47\n\n        5(a)(5) and 6(b)(2)    Information or Assistance Refused                                             55\n\n        5(a)(6)                Listing of Audit Reports                                                     50-53\n\n        5(a)(7)                Summary of Significant Reports                                               13-39\n\n        5(a)(8)                Audit Reports\xe2\x80\x94Questioned Costs                                                48\n\n        5(a)(9)                Audit Reports\xe2\x80\x94Funds to Be Put to Better Use                                   49\n\n        5(a)(10)               Prior Audit Reports Unresolved                                                55\n        5(a)(11)               Significant Revised Management Decisions                                      55\n\n        5(a)(12)               Significant Management Decisions with Which OIG Disagreed                     55\n\n\n        Section 4(a)(2): Review of Legislation                       Section 5(a)(3): Prior Significant\n        and Regulations                                              Recommendations Unimplemented\n        This section requires the inspector general of each          This section requires identification of each significant\n        agency to review existing and proposed legislation           recommendation described in previous semiannual\n        and regulations relating to that agency\xe2\x80\x99s programs and       reports for which corrective action has not been com\xc2\xad\n        operations. Based on this review, the inspector general      pleted. Section 5(b) requires that the Secretary trans\xc2\xad\n        is required to make recommendations in the semian\xc2\xad           mit to Congress statistical tables showing the number\n        nual report concerning the impact of such legislation        and value of audit reports for which no final action\n        or regulations on the economy and efficiency of the          has been taken, plus an explanation of the reasons\n        management of programs and operations adminis\xc2\xad               why recommended action has not occurred, except\n        tered or financed by the agency or on the prevention         when the management decision was made within the\n        and detection of fraud and abuse in those programs           preceding year.\n        and operations. Comments concerning legislative and\n        regulatory initiatives affecting Commerce programs           To include a list of all significant unimplemented rec\xc2\xad\n        are discussed, as appropriate, in relevant sections of       ommendations in this report would be duplicative.\n        the report.\n\n\n\n\n                                                                54\n\x0cSeptember 2008\xe2\x80\x94Semiannual Report to Congress                                                  Office of Inspector General\n\n\n\n       Information on the status of any audit recommen\xc2\xad           Section 5(a)(11): Significant\n       dations can be obtained through OIG\xe2\x80\x99s Office of            Revised Management Decisions\n       Audits.\n                                                                  This section requires an explanation of the reasons\n                                                                  for any significant revision to a management decision\n       Sections 5(a)(5) and 6(b)(2):\n                                                                  made during the reporting period. Department Ad\xc2\xad\n       Information or Assistance Refused                          ministrative Order 213-5, Audit Resolution and Follow-up,\n       These sections require a summary of each report to         provides procedures for revising a management deci\xc2\xad\n       the Secretary when access, information, or assistance      sion. For performance audits, OIG must be consulted\n       has been unreasonably refused or not provided. There       and must approve in advance any modification to an\n       were no instances during this semiannual period and        audit action plan. For financial assistance audits, OIG\n       no reports to the Secretary.                               must concur with any decision that would change the\n                                                                  audit resolution proposal in response to an appeal by\n                                                                  the recipient. The decisions issued on the six appeals\n       Section 5(a)(10): Prior Audit\n                                                                  of audit-related debts were finalized with the full par\xc2\xad\n       Reports Unresolved                                         ticipation and concurrence of OIG.\n       This section requires a summary of each audit report\n       issued before the beginning of the reporting period        Section 5(a)(12): Significant\n       for which no management decision has been made by          Management Decisions with\n       the end of the reporting period (including the date        Which OIG Disagreed\n       and title of each such report), an explanation of why a\n       decision has not been made, and a statement concern\xc2\xad       This section requires information concerning any\n       ing the desired timetable for delivering a decision on     significant management decision with which the in\xc2\xad\n       each such report. There were five Census reports and       spector general disagrees. Department Administrative\n       one NIST report more than 6 months old.                    Order 213-5 provides procedures for elevating unre\xc2\xad\n                                                                  solved audit recommendations to higher levels of De\xc2\xad\n                                                                  partment and OIG management, including their con\xc2\xad\n                                                                  sideration by an Audit Resolution Council. During this\n                                                                  period no audit issues were referred to the council.\n\n\n\n\n                                                             55\n\x0c'